| 1 |
02.05.2010 17:23, Krzysztof Pawlik wrote: |
| 2 |
> Interesting... to me that's not only stupid but also kinda useless - there's no |
| 3 |
> difference between brute-forcing a password for user named 'foo' or 'root' - |
| 4 |
> user name doesn't matter much. |
| 5 |
> It's better to disable password-based remote login altogether in |
| 6 |
sshd_config. |
| 7 |
> Security by obscurity is a nice way to make pseudo-sys-admins feel |
| 8 |
warm and fuzzy :] |
| 9 |
|
| 10 |
The username is 50% of what you need to know to be able to log in, and |
| 11 |
security by obscurity can support environments where the attacker cannot |
| 12 |
gain insight easily, in contrast to e.g. security by obscurity in |
| 13 |
hardware like telephones that are shipped to you and can be examined |
| 14 |
closely. |
| 15 |
|
| 16 |
However, it cannot be seen as effective countermeasure against attacks |
| 17 |
and AFAIR the BSI also says, that you shouldn't allow root logins and |
| 18 |
need a second user for logging in. All of it is a bit ridiculous, |
| 19 |
because when you're in a position to try gaining uid 0, you probably can |
| 20 |
read /etc/passwd already. |
| 21 |
|
| 22 |
So, of course, it's really dumb and only creates problems. One can try |
| 23 |
to explain that to an auditor - but it will cause not only a few |
| 24 |
problems and definitively delay and/or endanger your certification, if |
| 25 |
this was a "MUST" and not a "SHOULD". If it is a "SHOULD", you need to |
| 26 |
explain (in convincing written form, of course) why you do not want to |
| 27 |
implement it. |
| 28 |
|
| 29 |
|
| 30 |
Back to topic: I think it would be nice be able to rename root, but I'm |
| 31 |
not sure how much work this is, and doubt many people would actually |
| 32 |
benefit from it. |
| 33 |
|
| 34 |
In scripts I use to deploy things to both BSI and non-BSI systems, I'm |
| 35 |
simply using "chown 0:0 foo". I think we could do that in our eclasses |
| 36 |
without breaking things, but helping poor souls that renamed root. ;) |
| 37 |
A quick look revealed that the tetex.eclass already does this and that |
| 38 |
there are several other eclasses that use "chown -R root:0". |
| 39 |
|
| 40 |
Best regards, |
| 41 |
|
| 42 |
Craig |
Archives