Re: Root Access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Michael Fleming wrote:
> - NEVER ssh as root. PermitRootLogin defaults to "no" in OpenSSH for
>   good reason. If your root password is weak and an attacker guesses
>   it, it's game over, your machine is compromised and you're another
>   zombie in someone's botnet. Log in as a regular user and su

A minor nit, but root login is allowed by default in upstream OpenSSH
(and in the Fedora packages).  I disable that on my systems, which I
think it a good practice.  But the default allows root logins for a
number of reasons, one of which, I believe, is that there may not be
any users on the system when it is first installed and an admin may
need to ssh in and create them (for those admins that don't have
kickstart, cobbler, puppet, and/or some other handy tool(s) for
provisioning new systems).

>> I think it's very unfortunate that Microsoft has done such a poor
>> job of encouraging and allowing users to run with the least
>> privilege needed.
>
> This isn't strictly Microsoft's fault alone. Their engineers have
> been aiming to get users to run with the least available rights (and
> good users / administrators have tried to do so, with mixed success)
> but a combination of laziness on the parts of application
> developers, "Enterprise" admins of MS domains and users (who are
> subject to and learn bad habits from lazy admins and developers)
> often results in users being added to Administrator groups (or just
> logging in to the Administrator account) with disasterous results.

Well, I don't give MS much slack on this, as it should mostly be their
responsibility to make it possible to easily run without administrator
privileges.  The fact that it's only in the last 10 years or less that
that they've even been talking about least user privilege shows how
far behind the curve they are.

But that's already getting pretty far off-topic for this list and this
thread. ;)

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are no differences but differences of degree between different
degrees of difference and no difference.
    -- William James, under nitrous oxide; 1882

Attachment: pgpxikAC6RRk5.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux