From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LWVzP-0006YK-2H for garchives@archives.gentoo.org; Mon, 09 Feb 2009 13:15:55 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CE2E0E030C; Mon, 9 Feb 2009 13:15:53 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id AE67CE030F for ; Mon, 9 Feb 2009 13:15:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 528636460D for ; Mon, 9 Feb 2009 13:15:53 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -3.4 X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.5 tests=[AWL=0.199, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qTTJATlTrhdW for ; Mon, 9 Feb 2009 13:15:46 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 9EE4E65486 for ; Mon, 9 Feb 2009 13:15:45 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1LWVzD-0002o0-DP for gentoo-user@gentoo.org; Mon, 09 Feb 2009 13:15:43 +0000 Received: from athedsl-106107.home.otenet.gr ([87.203.54.25]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 09 Feb 2009 13:15:43 +0000 Received: from realnc by athedsl-106107.home.otenet.gr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 09 Feb 2009 13:15:43 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: Nikos Chantziaras Subject: [gentoo-user] Re: Permissions of /etc/sudoers Date: Mon, 09 Feb 2009 15:15:35 +0200 Organization: Lucas Barks Message-ID: References: <200902091405.50934.heiko@xencon.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: athedsl-106107.home.otenet.gr User-Agent: Thunderbird 2.0.0.19 (X11/20090203) In-Reply-To: <200902091405.50934.heiko@xencon.net> Sender: news X-Archives-Salt: 64c667e7-5f68-4be1-b257-94c68e3fac12 X-Archives-Hash: 0be0c7f584c33459a561049ad6594b50 Heiko Wundram wrote: > Am Montag 09 Februar 2009 13:37:31 schrieb Nikos Chantziaras: >> Stroller wrote: >>> I install sudo, give my user wide sudo rights and then set >>> "PermitRootLogin no" in /etc/ssh/sshd_config. >>> (Critique of this measure welcomed). >> Since Hung already answered about the other problem, I'll just comment >> on this. >> >> It's a bad idea if the machine is open to the Internet, especially since >> it's easy to simply "su -" or "sudo" as a normal user. > > Sorry, but I consider that to be BS advice (at least concerning that you want > to leave password-authentication open). > > I'd always recommend disabling root login for ssh (as soon as that is > possible, i.e. you have an unpriviledged account who is in group wheel who you > can use to access the machine in question), because root is a "well-known" > user (and thus lends itself well to a [possibly distributed] ssh brute force). Er, didn't I actually say the same? If other people have network access to the machine, disable root. You misunderstood something.