Another reason not to use sudo?

[Ben Edwards]

We were trying to decide whether to enable root on the Ubuntu PCs we
have been setting up at a community center and the person I was
working with pointed out the following.

If you ssh into a box the password of the initial account you log in
is _not_ encrypted so you would normally log in as a lesser user and
su when you are in (this I knew but many people do not).

However if your box uses sudo you would tend to log into your sudo
account, your password could be snifed and someone could get root
access on your box!

The only way round this would be for everybody with sudo access to
have another lesser account that they used to remotely log into the
box - or I guess everybody could log in using a guest style account.

I should also mention that the good thing about sudo which is not on
the RootSudo page is that you can selectively give people access to
various aspects of roots privileges - i.e. you could allow someone
just to install packages but not delete other peoples files (never got
into this myself but gather it is the case).

What do people think?
Ben



-- 
Ben Edwards - Poole, UK, England
WARNING:This email contained partisan views - dont ever accuse me of
using the veneer of objectivity
If you have a problem emailing me use
http://www.gurtlush.org.uk/profiles.php?uid=4
(email address this email is sent from may be defunct)