Subject: Re: sshd won't allow access by root
To: William Allen Simpson <wsimpson@greendragon.com>
From: Greg A. Woods <woods@weird.com>
List: tech-install
Date: 10/01/2002 15:19:21
[ On Saturday, September 28, 2002 at 10:19:37 (-0400), William Allen Simpson wrote: ]
> Subject: Re: sshd won't allow access by root
>
> Funny, I don't see an audit trail in the default install.  Am I (or the 
> documentation) missing something?  

'su' sends syslog messages with a facility code of LOG_AUTH, so yes such
an audit trail shows up in /var/log/authlog in a default install.

> > Well, there's still the issue of password guessing.  Are you 100%
> > certain that you'd notice any and all attempts to login as root from the
> > network and that you could respond quickly enough to limit damage if
> > some attacker did happen to guess your root password?
>
> We are not talking a Kerberos server, here.  Or credit card authorization.  
> Those are kept in locked rooms. 
> 
> And there's no security guard, etc, at my home or the office, either. 

That's more or less irrelevant.

What matters here is that remote network access can come from anywhere,
and there's no way to authenticate even the location of the originating
client.  Even if all you do is play 'advent' on your home computer, the
fact that an unauthorized and unauthenticated remote user can gain
superuser access directly by only guessing your root password makes your
machine a threat to everyone else on the public Internet.  It is
precisely such low-risk machines which have made it even harder to
identify remote threats.  A sophisticated attacker can probably easily
hide in your machine in such a way that you cannot even know (unless you
have a packet trace of the attack) that the machine has been compromised.

Now of course if you have securely configured SSH publickey only access
for root, and disallow password access via SSH, then direct root login
by SSH is probably more secure than login by password and su by password
(though it does depend entirely on the security of the client host
holding the other half of that key).  However if you've done this then
you've hopefully paid enough care and attention to these details that
you wouldn't get caught unawares with no remote root access and no
remote user access either. :-)

> Password guessing was pretty easy with only 8 characters, and the fact 
> that staff had a tendency to pick passwords like "SmoothO" from the song 
> Smooth Operator for the cisco.  The new long passphrase stuff is an 
> improvement, although the real bit density means the passphrases need to 
> be 100 character sentences, and I don't know anybody that does it.  You?

Well, on my machines I've integrated and implemented cracklib.  No user
can choose a password that crack can guess -- not even root (though root
can still of course cut&paste encrypted password strings into
/etc/master.passwd, and of course remove the cracklib dictionaries or
maybe even install a modified passwd program, etc.).

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>