-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, Dec 04, 2014 at 10:00:54AM -0500, Miloslav Trmač wrote: > Fundamentally, as someone has already pointed out, root login enabled/disabled doesn’t matter for _authentication_ strength: The pair of (guessable or known user name, “root”) and (user’s password, root password) can be equally strong as the pair of “root” and “a password as strong as the two previous passwords together”. Well, there are a couple advantages for attacking the root account (and this is why it's done so often). First, you already know the username. That's sometimes half the puzzle! You're not trying to guess a username *and* a password but rather only trying to guess a password. You're halfway there already! Now all you have to do is brute force the password. Second, if you get into the account you know you've struck gold. You now, effectively, own the system. It's not like being able to login as a user and then hoping that you might have sudo access to do other things (like change root's password). Allowing root access is just dangerous. If someone really needs it they can turn it on but I suspect many people don't even realize the access exists and 'fluffybunny' isn't going to keep their systems safe. - --Eric - -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security sparks@xxxxxxxxxx - sparks@xxxxxxxxxxxxxxxxx 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJUgHq7AAoJEB/kgVGp2CYv+SAL/147t4WKOIBnqFfEEJYxhe2w 9gEzXEmNuRdcipeKVI8oPIfS+wL6ygrxLWO4tYtwY+AK8oiLxhMokTt/ZW5Vqpgw dpnzfxSppq8VBtWW6s6o4bL1noa3Lphk2yvXp/vtc0BZjniMw9zP1FmasEmEbJw8 9lbANNRS63sFifLFEhSt3lIFCTwo8+XBur8FUtLiTthmb0hqiVDXWCTOoaMLSRJX WqxYBBUIH3xGVNoMQqQjSJyM96ryy4mUZdtd8nc/oklqnWYdZROjzLzl0uCpU6dF qsTMKzMEQbvZJYxEfG8pcIbzOHukC8aG8xb9r0J5/oPiwbtdC+qTMLGN3SoHPFA/ 6WVMMH+aab/NDZ3M1/pWU24c0DeGCCqDSzL7ulOjkQZxPC2pj1pNTywXz3PNrSm2 VaTF0Iga6yYsiRWNGT5lYCClDerSAfVOWI6QpSb+EvpOFQKcDcuvwUPUXWu/ivFv ZQaBOGuMvA4cyI7SCmQdPLVyvE/ZhEKx2tidcn1+3w== =cESf -----END PGP SIGNATURE----- -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
