On Fri, 4 Jan 2008 17:55:49 -0800 (PST) riley.marquis@xxxxxxxxxxxxxxx wrote: > It appears as if I have fallen behind the times in terms of Linux > security. I apologize for not keeping up. =) No worries. ;) > > I'd like to take a moment to ask a few questions so that I can better > understand the reasoning behind certain changes being a bad idea, and > thus become more knowledgeable. > > 2: /etc/ssh/sshd_config change > In regards to changing PermitRootLogin to no, we'd obviously need a > regular user account to login to, then su to root. Thus, even one who > has the root account and password would need a regular user name and > password before the root account would do him any good. However, > perhaps there is a downside to this as well? Or perhaps we don't > change any defaults from upstream OpenSSH unless absolutely > necessary? I'm sure there are those who want to login as root, and > those who don't. Just curious about the reasoning... Well, as you say, you need to make sure we force the user to make a regular account first, currently thats not being done. You can do a new install and not create a user account. I find root ssh login handy for a number of reasons: - You can have some family member or friend who trusts you to fix their linux install allow your ssh key to login as root, then you never need to know any passwords on their system or have a useless normal account there. - It's nice to be able to do for automated tasks (like say installing a single new package on 20 machines without having to login and sudo on each). I wouldn't be opposed to disabling it if it was possible to re-enable for folks who wanted it and we made sure there was always a way to get in via a user account. We just basically need to make sure everything is in place before doing anything like disabling root logins. > > In regards to the GCC lockdowns, it was my understanding that > sometimes hackers use our own compilers against us by logging in as a > normal user, using gcc to build their hacktools, and then using the > built tools to compromise root. Is this something that is no longer > done? Just curious. Sure, but disabling compiling for all the legit users is a bit like throwing out the baby with the bathwater. > > Thanks in advance! > Riley kevin
Attachment:
signature.asc
Description: PGP signature
-- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
