From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id EB6AF1384B4 for ; Tue, 10 Nov 2015 15:32:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E48A721C011; Tue, 10 Nov 2015 15:32:00 +0000 (UTC) Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BF87221C004 for ; Tue, 10 Nov 2015 15:31:59 +0000 (UTC) Received: by wmec201 with SMTP id c201so139438185wme.0 for ; Tue, 10 Nov 2015 07:31:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=6/xEbT2wAyV3b9cTCXVEA5HsrkpJ1B8S3bGIEkrTqS8=; b=iiQLwc3+snE2wU5PYsbQ5ZYkAoO7PD4MPSMSlHLv94xoNQlg2XD+ZdZV/HhVJy0VWk 7HFNtylpaz5PMxX0DocEUJwKY+u3omVy2FiWdHwHwPAHkvvSZDZAJKkPDu3xN6ZUOiwh L/BotBGpviLYsGA88uAc8Vmr+72rx3uMl35gmFmS+G+7oakpxUHuLhL8uaoMSo+AXxwJ XgMUxeY6RzYMksaNBR2kxl3Rp9RMegAqqDkdt0V2+b90PamBfQG5aSiEZdE56c8OWKl1 dzDE8+LSldkgxm4Wfu6JsqKzT0QbdP1Z1fKpVrJDf08r7grZ9J4Nra+kqtX2brDmzC7Q w3qg== X-Received: by 10.28.211.143 with SMTP id k137mr5729558wmg.49.1447169518264; Tue, 10 Nov 2015 07:31:58 -0800 (PST) Received: from [172.20.0.40] ([165.255.82.143]) by smtp.googlemail.com with ESMTPSA id cv3sm2704929wjc.20.2015.11.10.07.31.56 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Nov 2015 07:31:57 -0800 (PST) Subject: Re: [gentoo-user] OpenSSH upgrade warning To: gentoo-user@lists.gentoo.org References: <56414A8C.1080701@gentoo.org> <56420397.8010504@gentoo.org> From: Alan McKinnon Message-ID: <56420DB1.80302@gmail.com> Date: Tue, 10 Nov 2015 17:30:57 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <56420397.8010504@gentoo.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 08cb990f-63e5-417e-9a39-838e6ff55b3b X-Archives-Hash: a1d924ba7beb073068b0d0d238555d78 On 10/11/2015 16:47, Michael Orlitzky wrote: > On 11/09/2015 10:26 PM, Jeff Smelser wrote: >> >> The question is, why would you want root login? If your still using it, >> your doing it wrong. > > Maybe, but your argument isn't convincing. How am I better off doing it > your way (what is your way)? > > The most common way is to disallow all remote logins as root. Admins log in with their personal unpriv account using an ssh key. To become root they must su or sudo -i with a password. Benefits: two factor auth using different mechanisms. Having the key or the password is not enough to become root, an attacker must have both. Allowing root logins directly over the network is considered bad practice, due to the "one mistake = you lose" aspect. -- Alan McKinnon alan.mckinnon@gmail.com