[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)
From: chedder1@xxxxxxxxx
Date: Fri, 02 Feb 2007 08:22:39 -0800

On Fri, Feb 02, 2007 at 04:51:36PM +0100, Tyop? wrote:
> On 2/2/07, Raj Mathur <raju@xxxxxxxxxxxxxxx> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > On Friday 02 February 2007 12:08, Valdis.Kletnieks@xxxxxx wrote:
> > > On Fri, 02 Feb 2007 13:25:11 +0800, Eduardo Tongson said:
> > > > On 2/2/07, Xavier Beaudouin <kiwi@xxxxxxx> wrote:
> > > > <>
> > > > > Allowing direct root login even with SSH is IMHO stupid...
> > > > Please elaborate why is it IYHO stupid.
> > > In environments where more than 1 person has root access, allowing
> > > direct login to root means you can't keep an audit trail of which
> > > person logged in.
> > >
> > > And if your environment only one person has root access, that's
> > > just looking for a DoS if the one person is hit by a bus.....
> >
> > I believe we have had this discussion before, but I'll iterate my
> > beliefs in favour of allowing direct root access again:
> >
> > - - Password management is a bitch.  I don't remember passwords for
> > about half the accounts I have.  Using a key-based root login, I
> > don't need to remember those passwords either.  If you take the sudo
> > route, every user has to remember each password for each account,
> > unless you take the deprecated route of reusing passwords (or
> > *horrors* allow sudo without password).
> 
> key-based login without passphrase is like eating cheese without
> bred. useless (IMHO).
> 
> > - - With a little bit of configuration, it's easy to figure out which
> > key was used to login to an account; the audit trail can be managed
> > that way.
> > - - Managing which users have access to which root accounts is trivial
> > this way: just add or delete their keys from .ssh/authorized_keys[2].
> 
> Totally agree.
> 
> -- 
> Tyop?
> http://altmylife.blogspot.com
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
... i eat cheese without bread
-- 
 _______________________________________________
|hello, my name is                              |
|       .__               .___  .___            |
|  ____ |  |__   ____   __| _/__| _/___________ |
|_/ ___\|  |  \_/ __ \ / __ |/ __ |/ __ \_  __ \|
|\  \___|   Y  \  ___// /_/ / /_/ \  ___/|  | \/|
| \___  >___|  /\___  >____ \____ |\___  >__|   |
|    \/     \/     \/     \/    \/    \/        |
|            http://chedder.hacked.in           |
|_______________________________________________|
           "You don't exist. Go away"

Attachment: pgpCDWPKhkLLH.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)
  - From: Tyop?

References:
- [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)
  - From: Gianluca Giacometti
- Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)
  - From: Eduardo Tongson
- Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)
  - From: Raj Mathur
- Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)
  - From: Tyop?

Prev by Date: Re: [Full-disclosure] Hushmail from full-disclosure-request@xxxxxxxxxxxxxxxxx
Next by Date: Re: [Full-disclosure] Vista Speech recognition
Previous by thread: Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)
Next by thread: Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)
Index(es):
- Date
- Thread