One user, two passwords?
Scott Kitterman
kubuntu at kitterman.com
Wed Sep 6 19:38:00 UTC 2006
Only true for SSH (the case I was discussing) if SSH allows root logins. So yes, I agree it's less secure if you set it up in a less secure way. I'd suggest not doing that. Rootlogin=no is one line in sshd.conf. With that it's the security of the userid and password combination plus coming up with the root password.
I think this nicely reinforces my point that sudo is protection against poor operating practices, not additional security. That protection is a good and useful thing in many case, but let's call it what it is.
Scott K
..... Original Message .......
On Wed, 06 Sep 2006 20:47:48 +0200 Thilo Six <T.Six at gmx.de> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: RIPEMD160
>
>Scott Kitterman wrote the following on 06.09.2006 17:46:
>
><snip>
>> With the standard Ubuntu server setup and SSH added in a dictionary
>> attacker needs to guess one password. With a root account and no root
>> login set for SSH, then it's two.
><snip>
>
>IMHO it´s just the other way round. When you use su, root is a well
>known useraccount for attacks with a password-cruncher from outside.
>When using sudo, the password grabber has also to grab the right
>username according to this password to login.
>Only the right combination of both will let him in, and since on every
>ubuntu box the sudo (admin) user has an other username this is
>additional security.
>
>> Scott K
>
>bye Thilo
>- --
>i am on Ubuntu 2.6 KDE
>- - some friend of mine
>
>gpg key: Ox4A411E09
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.2.2 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFE/xfTgkdHiUpBHgkRAzKNAJkBL+HBuRGImMV3KfXwDyMUpM4BjQCfYEA5
>C23eWokUNPObQKQibuui1ps=
>=oayl
>-----END PGP SIGNATURE-----
>
>
>--
>kubuntu-users mailing list
>kubuntu-users at lists.ubuntu.com
>https://lists.ubuntu.com/mailman/listinfo/kubuntu-users
>
More information about the kubuntu-users
mailing list