Re: Root Access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Michael Fleming wrote:
> - NEVER ssh as root. PermitRootLogin defaults to "no" in OpenSSH for
>   good reason. If your root password is weak and an attacker guesses
>   it, it's game over, your machine is compromised and you're another
>   zombie in someone's botnet. Log in as a regular user and su

A minor nit, but root login is allowed by default in upstream OpenSSH
(and in the Fedora packages).  I disable that on my systems, which I
think it a good practice.  But the default allows root logins for a
number of reasons, one of which, I believe, is that there may not be
any users on the system when it is first installed and an admin may
need to ssh in and create them (for those admins that don't have
kickstart, cobbler, puppet, and/or some other handy tool(s) for
provisioning new systems).

>> I think it's very unfortunate that Microsoft has done such a poor
>> job of encouraging and allowing users to run with the least
>> privilege needed.
>
> This isn't strictly Microsoft's fault alone. Their engineers have
> been aiming to get users to run with the least available rights (and
> good users / administrators have tried to do so, with mixed success)
> but a combination of laziness on the parts of application
> developers, "Enterprise" admins of MS domains and users (who are
> subject to and learn bad habits from lazy admins and developers)
> often results in users being added to Administrator groups (or just
> logging in to the Administrator account) with disasterous results.

Well, I don't give MS much slack on this, as it should mostly be their
responsibility to make it possible to easily run without administrator
privileges.  The fact that it's only in the last 10 years or less that
that they've even been talking about least user privilege shows how
far behind the curve they are.

But that's already getting pretty far off-topic for this list and this
thread. ;)

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are no differences but differences of degree between different
degrees of difference and no difference.
    -- William James, under nitrous oxide; 1882

Attachment: pgpZi2PLWivEx.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux