At 6/17/2003 08:18 +0100, you wrote:All of these are addressed by not permitting password login at all. We only allow public/private key access to our systems.
I have access to a machine in Germany where I log in with ssh and then do an su to root. The extra step adds no significant extra security -- although I'd be happy be wrong and for someone to explain why it does.
There are a few simple but effective reasons:
1. The cracker must then guess a valid username in order to log in. Not only a valid user, but one who is in the wheel group and has access to becoming root (i.e. with permissions to use /bin/su).
2. The cracker cannot brute-force or dictionary attack the opensshd with different password for "root" (even just a few times).
3. The cracker must steal or guess at least two passwords instead of one.
4. Social engineering becomes somewhat more difficult.
As I said before -- you need two things to be able to break into the system: a copy of the private key and the much longer than usual passphrase.
You can get both of these if you happen to gain access to a machine where the ssh-agent is running with the private key already loaded. This is probably the worst security risk, but it can be mitigated by making sure you unload the key when you leave at night.
jch
