Quoting Mike Miller <mbmiller at taxa.epi.umn.edu>: <snip> > > What kind of crack are you smoking? There is no good reason to turn off > > remote root logins, beyond an extra password to type. > > > Can you explain this further? I have the impression (or misimpression) > that allowing root login is dangerous because if a vulnerability in sshd > allows login without a password, an attacker can then login as root. If > root login is not allowed, they must guess a username, and if that works > for them, they still won't have root permissions. Anything that postpones > a successful attack during the time between discovery of the exploit and > application of the patch will be helpful. Is this way of thinking all > wrong? I am happy to be corrected because I am not a computer expert. > > Mike Never heard of an exploit that allows loggin in without a password. Typically what you will see would be an exploit, i.e. a buffer overflow, that gives shell access at the privelege level the service is running at. Running ssh with privelege seperation should help you to avoid getting rooted in this way. I disallow root logins on my work boxes because I don't want people logging in as root, if they need the priveleges they can sudo. Of course I am also not foolish enough to set things up as Matthew described. On my personal machines I disable root login largely out of habit. You should have a strong enough password on root to invalidate any dictionary attacks. Josh _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list