1 |
02.05.2010 17:23, Krzysztof Pawlik wrote: |
2 |
> Interesting... to me that's not only stupid but also kinda useless - there's no |
3 |
> difference between brute-forcing a password for user named 'foo' or 'root' - |
4 |
> user name doesn't matter much. |
5 |
> It's better to disable password-based remote login altogether in |
6 |
sshd_config. |
7 |
> Security by obscurity is a nice way to make pseudo-sys-admins feel |
8 |
warm and fuzzy :] |
9 |
|
10 |
The username is 50% of what you need to know to be able to log in, and |
11 |
security by obscurity can support environments where the attacker cannot |
12 |
gain insight easily, in contrast to e.g. security by obscurity in |
13 |
hardware like telephones that are shipped to you and can be examined |
14 |
closely. |
15 |
|
16 |
However, it cannot be seen as effective countermeasure against attacks |
17 |
and AFAIR the BSI also says, that you shouldn't allow root logins and |
18 |
need a second user for logging in. All of it is a bit ridiculous, |
19 |
because when you're in a position to try gaining uid 0, you probably can |
20 |
read /etc/passwd already. |
21 |
|
22 |
So, of course, it's really dumb and only creates problems. One can try |
23 |
to explain that to an auditor - but it will cause not only a few |
24 |
problems and definitively delay and/or endanger your certification, if |
25 |
this was a "MUST" and not a "SHOULD". If it is a "SHOULD", you need to |
26 |
explain (in convincing written form, of course) why you do not want to |
27 |
implement it. |
28 |
|
29 |
|
30 |
Back to topic: I think it would be nice be able to rename root, but I'm |
31 |
not sure how much work this is, and doubt many people would actually |
32 |
benefit from it. |
33 |
|
34 |
In scripts I use to deploy things to both BSI and non-BSI systems, I'm |
35 |
simply using "chown 0:0 foo". I think we could do that in our eclasses |
36 |
without breaking things, but helping poor souls that renamed root. ;) |
37 |
A quick look revealed that the tetex.eclass already does this and that |
38 |
there are several other eclasses that use "chown -R root:0". |
39 |
|
40 |
Best regards, |
41 |
|
42 |
Craig |