Re: Upcoming OpenSSH vulnerability

[Ben Goren <ben@trumpetpower.com>]

On Wed, Jun 26, 2002 at 10:00:43AM -0700, Scott Francis wrote:

> On Tue,  Jun 25, 2002 at  05:59:07PM -0700, ben@trumpetpower.com
> said:
>
> > A related but different question: best practices dictate using
> > sudo and  not logging  in as  root. Regardless of  the current
> > bug, are  there non-policy reasons to  avoid ``PermitRootLogin
> > yes''?
>
> sudo + ssh keys is a great way to manage a large network without
> having  to give  ANYBODY root's  password. And when  an employee
> leaves,  you just  remove their  account on  the admin  box, and
> they're off  the network. No need  to change passwords  on every
> box, because they never had them.

Agreed, but  that's not  what I'm asking. I  said, ``non-policy.''
Privelege separation prevents whole classes of exploits by running
a lot  of code as an  unpriveleged user. At least a  casual glance
would  indicate that  some of  that sepatation  isn't possible  or
becomes moot when direct root logins are permitted.

Is it conceivable  that, *from a technical  standpoint,* some sort
of  compromise  could  exist  with  ``PermitRootLogin  yes''  that
wouldn't exist without?

I  don't  permit  root  logins,  I  use  keypairs  and  sudo. This
isn't  ``I'm too  lazy  to  do the  right  thing.'' This is,  ``Is
there the  theoretical potential for  an exploit with  the default
configuration that isn't possible with a different well-documented
configuration?'' And, yes, in theory, anything is possible.

Does  anybody who  knows  the  SSH code  care  to  comment on  the
architecture of root logins?

Sincerely,

b&

--
Ben Goren
 mailto:ben@trumpetpower.com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]