Subject: Re: sshd won't allow access by root
To: NetBSD Install Process Technical Discussion List <tech-install@NetBSD.ORG>
From: William Allen Simpson <wsimpson@greendragon.com>
List: tech-install
Date: 09/28/2002 10:19:37
"Greg A. Woods" wrote:
>
> [[ this is really a netbsd-users question, not a technical issue with
> the NetBSD install process.... ]]
>
It started as an install problem, and digressed. It's still clearly an
install documentation problem.
> William Allen Simpson wrote:
> > I understand not allowing telnet login to root on network ports, I agree.
> > However, SSH is a secure method of login. There's no added benefit in
> > having another su user. That's ancient thinking.
>
> No, it's not, at least not in most general circumstances. Any login as
> root from an arbitrary network address might not leave any audit trail
> of which human user is responsible for the actitivies of that session.
>
> The only time a direct root login is generaly considered "secure" is
> when there's an external audit trail showing who is responsible (a card
> swipe audit on the machine room door, or a human security guard noting
> the physical access to the machine, etc.)
>
I've noticed on the current-users list folks are arguing about securely
disabling direct console access, too.
Funny, I don't see an audit trail in the default install. Am I (or the
documentation) missing something?
In My not so Humble Opinion, these folks need to reconsider their threat
model.... True security is based on actual threats, and the relative
value of the data.
> Well, there's still the issue of password guessing. Are you 100%
> certain that you'd notice any and all attempts to login as root from the
> network and that you could respond quickly enough to limit damage if
> some attacker did happen to guess your root password?
>
We are not talking a Kerberos server, here. Or credit card authorization.
Those are kept in locked rooms.
And there's no security guard, etc, at my home or the office, either.
Password guessing was pretty easy with only 8 characters, and the fact
that staff had a tendency to pick passwords like "SmoothO" from the song
Smooth Operator for the cisco. The new long passphrase stuff is an
improvement, although the real bit density means the passphrases need to
be 100 character sentences, and I don't know anybody that does it. You?
I'm 100% percent certain that should an attacker take over the machine,
say through the sshd exploit a few months ago, it would take us about as
long to notice as it took for the machine to stop functioning. The threat
model is operational and the data is generally publically accessible.
In my case, they wiped /usr and /home, and installed a Port 44442 in sshd.
That made it pretty obvious that the machine was gone. I doubt they had
much success with machines that kept rebooting.... (See previous message.)
Note that the sshd vulnerability applied regardless of whether root access
was allowed. They got root access anyway, through a library failure.
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32