AIX remote root logins
Dan Kaminsky
dan at doxpara.com
Tue Oct 15 02:26:06 EST 2002
>
>
>This kinda touches on another question that was brough up for AIX and a
>few other platforms. Is is valid to allow sshd to run as a non-root
>user?
>
>
It is massively valid to allow sshd to run as nonroot. The truly
paranoid jailed service never, ever touches root -- not even when one
starts to administer it.
There's all sorts of interesting uses of non-root sshd -- please don't
suppress them.
[warning to oldtimers: su rant returns!]
As for remote root logins -- you absolutely don't want them through
telnet, but you absolutely *do* want them through ssh. As I've been
mentioning for a while, su is terribly insecure, as you're trusting a
user shell to, well, actually execute su instead of sniff the root
password and save it off to some dot file. su is mainly nice for
accounting who went to root; if I remember right, the following command
was actually a safe way to transit straight from root-controlled sshd to
su for root password entry:
ssh user at host -t "/bin/su -l root"
There may be issues with quirky environment files and maybe .sshrc,
though. I had a patch wayyy back in the day to allow ssh user+root at host
to do an ssh-driven su completely outside of user code; I have no idea
where that code went though...i'll find it someday.
--Dan
More information about the openssh-unix-dev
mailing list