MAC OS X tiger help for a Windows technician

[LuKreme]

On 14-Jun-2007, at 20:00, Alex Satrapa wrote:
> On 15/06/2007, at 06:43 , Karl Kuehn wrote:
>> Are you intentionally being rude? Does this really work for you?  
>> Do you really think it is appropriate on a public forum? Do you  
>> really think it brings the conversation any further?
>
> Dan has just been doing administratorly things for so long that he  
> can no longer grasp the concept that some people don't understand  
> Unix administration. This lack of comprehension leads to  
> frustration when dealing with people whose knowledge domain isn't a  
> full subset of his own, and this frustration results in the BOFH  
> attitude which Dan has been affecting these last couple of months.

Months?  You must be new around here.... :)

> The main risk of enabling root login is that it becomes easier for  
> remote attackers to log in as root. If root login is not enabled,  
> remote attackers first have to log in as a local user, then find a  
> locally exploitable privilege escalation vulnerability. The  
> increased difficulty is due to having to guess not just the  
> password, but a local user name.

Well, yes, I suppose.  I mean, you can not allow remote logins as  
root, that's pretty trivial to do.

> You can mitigate this risk by simply not turning on Telnet, and  
> configuring SSH to:
>  - not allow root logins
>  - only allow specific users to log in
>  - not allow password logins (you must use a key)
>  - do not use administrative accounts for day to day use

You can allow root SSH, just not root/password via ssh.


-- 
I listen to the wind, to the wind of my soul