If I may chime in a bit late... On Tue, 2008-06-03 at 13:18 -0700, Ben Ford wrote: > Very weak security model. > I think it deserves more credit than that. This will neutralize most attacks where the attacker doesn't know what IP address you do or don't allow in. On Wed, 2008-06-04 at 08:51 +0200, Ron Arts wrote: > Stated differently: will dictionary attacks always succeed? > It depends on the dictionary :) but to generalize: every password can be guessed. On Fri, 2008-06-06 at 03:17 -0700, Bond Masuda wrote: > In my experience, using public key authentication is often more of a > security risk, depending on the situation. If the remote machine that > holds the private key (and some store this with no password for > convenience) is compromised, they immediately have an open door into > your server. You may have no control how passwords are enforced, > updates > are applied, or if any security is implemented on the remote end. > Setting up public key authentication, in effect extends your "trust > domain" to a server that may not be so trust worthy. To me, it makes > more sense to rely on security I can control. (which is often not the > case if it is some other user's office desktop or workstation) > > -Bond I just want to point out that the same argument can usually be applied to password-based authentication. There are a number of ways that a compromised workstation will compromise their password, too: keyloggers being the first that comes to mind. I bet there's a lot more malware out there that looks for passwords going into password fields than malware that looks for private keys. I guess it could go either way, but I still think you've got better odds with key-based authentication. On Mon, 2008-06-02 at 10:29 +0200, Ron Arts wrote: > Hi, > > <Ron's original post> > To respond to your original question, Ron, consider that security is not a switch but a scale. There's always things you could be doing better, or worse. Usually the biggest thing to consider is risk versus inconvenience, because security almost always comes at the cost of convenience. If you're looking for an academic answer to why remote root login is bad, it's been answered a few times over: it's not bad, but it could be better. Non-privileged login + sudo means having to guess a username +password combination, plus a second password, as opposed to having to just guess a password. If you're interested in a more practical answer, consider the how inconvenient it is to have to login as jdoe and then su into root. In my opinion, it's not. It takes me an extra 3 or 4 seconds at the beginning of an SSH session. Whenever I have the choice, I stick with no root login because the gain is high, the cost is low. So I guess my response to "Why" is "Why not?" Hope that was beneficial, Mark
