NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2005-03

Re: Educate users the proper ways from the beginning.

From: Bob Beck (beckbofh.cns.ualberta.ca)
Date: Wed Mar 30 2005 - 13:11:05 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Han Boetes <hanmijncomputer.nl> [2005-03-30 01:47]:
> Otto Moerbeek wrote:
> > More than that. Your diff is unusable in a YP environment.
> > Almost none of my machines have regular user accounts, and I'd
> > hate to be forced to create local user accounts.
>
> OK, you got a good point there.
>
>
> I visuallize a compromize, something like:
>
>
> ask_yesno "Setup a local user with permission to use sudo? (recommended) " "y"
>
> etc.. etc..

All unmitigated horseshit. Sorry. Look I use sudo, and I like it.
but it is no substitute for allowing root login to a box, and is no
substitute for "su", Sorry. They are different. I don't want to add a
billion sudoable local accounts to run boxen in a distributed
authentication environment. I want "root" local, and be done with it.
I want root exposed if someone knows the root password, not if someone
knows the root password or fourteen other idiot's passwords that are
used every day. That's not more secure. If you want a useful diff to
help stop this ridiculous discussion from propping up every little
while. Here's what I propose:

Index: dot.login
===================================================================
RCS file: /cvs/src/etc/root/dot.login,v
retrieving revision 1.10
diff -u -r1.10 dot.login
--- dot.login 2003/08/19 10:13:14 1.10
+++ dot.login 2005/03/30 19:04:05
-12,6 +12,5
onintr

if ( `logname` == `whoami` ) then
- echo "Don't login as root, use su"
echo "Read the afterboot(8) man page for administration advice."
endif

Saying "don't login as root" is horseshit. It stems from the
days when people sniffed the first packets of sessions so logging in
as yourself and su-ing decreased the chance an attacker would see the
root pw, and decreast the chance you got spoofed as to your telnet host
target, You'd get your password spoofed but not root's pw. Gimme a
fucking break. this is 2005 - We have ssh, used properly it's secure.
used improperly none of this 1989 bullshit will make a damn bit of
difference.

-Bob

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]