* Mario Ohnewald wrote on Mon, Jan 20, 2003 at 09:41 +0100:
> > If you login as root someone can get your passwd and login
> > and get full controll over your server.

I do not understand why that.

> > The next thing can be a brute-force attack (login as root and
> > look passwords from e.g. a database).

This works for user accounts also, and for su. Do you think that
it increases security to need two passwords? Then you'd think
about SSH-Keys for authorisation instead of passwords.

> > Locally logins are insecure in the way inexperianced users
> > may alter the system by misconfiguring or deleting needed
> > files.

inexperienced roots are insecure, no matter how they log in I
think.

> I meat why login as a user and THEN do su is more secure than
> login in directly as root.

I don't see why this should be better. Well, and if someone get's
a user account on the server, there are more chances to get root
by some missed local exploit or such.

On servers, IMHO there should no user except root have a valid
password, remotely only SSH is possible without password
authentication.

Security depends also on the needed protection. Some someone this
may be enough, someone other just wanted to do only console
login with chip cards as authentication token.

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]