On Mon, Jan 22, 2007 at 10:07:19AM +0000, Dave Ewart wrote: > as root. The system is never used in a non-root context. Therefore, to > manage this system I set up no further users other than root, and > install my SSH key in root's account, then reconfigure SSHd to allow > root logins via key only (so that even someone knowing the root password > is unable to login via SSH, unless it's me with my SSH key); I have
I certainly hope that you have a strong passphrase on the private key and that you have good physical protection of the host which contains the private key. > > The above example flies in the face of the usual advice, but that's > because the circumstances are different and possibly rather extreme. I > don't really need accountability, because I'm the only one with access. > "Adding a non-privileged user and using sudo" would actually provide > less security, because it is adding an additional > potentially-compromisable account to the server. > I don't agree. If you take the same precautions and only allow public key logins for the unpriviledged users, then you have exactly the same level of vulnerability. If you then *completely* disallow remote root login, then you have lowered your vulnerability even more since the potential remote attacker would need to first compromise the private key and passphrase for the unpriviledged account and then *still* need to figure out the root password or some other means of gaining root access locally. > > I'm sure I'm opening myself to some criticism by mentioning the above; > please *read* what I've written before replying with "You shouldn't ever > use root directly", because I don't believe that's an appropriate > criticism in this case. ;-) > I did *read* it, BTW. I just think that your rationale that you are just as safe as using only an unpriviledged user account is wrong. Now, if you only accessed the machine locally, then you might have a point. However, for anything that allows remote access across an untrusted and/or public network, your approach is slightly more vulnerable than it needs to be. > As always, so long as one properly considers the implications and > carefully assesses the risks versus conveniences of any particular > setup, you should do fine. > Good point. Many people seem to forget that the driver for taking a risk should be "the potential bad things that can happen if anything goes wrong" versus "the benefit I gain from taking the risk." Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
