[CentOS] Getting ready for CentOS 5.4

Mon Mar 30 14:17:09 UTC 2009
Michael A. Peters <mpeters at mac.com>

Les Mikesell wrote:
> Michael A. Peters wrote:
>>> Errr, why is it easier to get an admin user's name and password than the 
>>> root password?
>> Because typically you only allow root login via console or an existing 
>> login.
> I don't see how that relates to the question.

It relates because your administrators generally log in from remote 
locations. For ssh they may be using a pass phrase (assuming their has 
been a key exchange previously) but not necessarily. Unless all methods 
of connecting refuse password authentication, there is a possibility of 
brute force password discovery.

>> You can brute force a user password (or sniff if the admin is lazy in 
>> how they connect - IE not using proper pass phrase, MITM attacks - 
>> possible with the SSH bug that Debian/Ubuntu had) etc. but normally the 
>> root account is disabled from remote login so it can't be remotely brute 
>> forced or sniffed.
> Normally?  As in a default install?

if you compile openssh from source, root login is disabled.
Distro's usually (and I disagree with this) default to allow root login 
- justification being it's the only way to get in after doing a remote 
install, but there are better ways to solve that.

But yes - any admin will lock down ssh (and any other services) as soon 
as the install is finished to forbid root login, any admin that does not 
needs to get a job selling real estate.

>> What you normally do is give sudo access to the commands (or wrappers to 
>> the commands) that a particular sysadmin might need to use but you don't 
>> give them full root access, thereby limiting the damage that can be done 
>> should their password be compromised.
> Who is 'them'?   And if you haven't shared the root password, what 
> happens when you get hit by a bus?

If I get hit by a bus, I don't personally care what happens, but of 
course there is more than one individual who has the master root 
password. Most of your junior don't need it and shouldn't have it, you 
can give them access via sudo to the specific things they need to do 
(and log sudo to a log machine they don't have access to) that require 
privilege escalation.

The point is you should never be able to gain a root shell knowing just 
a username and password for which a remote connection is allowed, and 
that's exactly what the OS X / Ubuntu default sudo configuration allows.