Problems with Sudo

Arthur H. Johnson II arthur at johnsonfamilymi.us
Fri Mar 16 13:43:31 UTC 2007 

On Fri, 2007-03-16 at 00:56 -0400, Jeffrey F. Bloss wrote:
> Are you saying it doesn't work with the chrootssh patch, or without? 
> 
> Under chrootssh I wouldn't expect anything else because chroot
> shouldn't "let go" of a session no matter what.
> 
> But under normal circumstances you should be able to SSH into a
> non-sudo account, su to another account, and run sudo as long as that
> "final" user is permitted explicitly by user name, or implicitly by
> group. If you can't, something is amiss.
> 

I'm sshing into my machine running on an alternate port logging into a
chroot jail.  Then I run ssh to get to another machine on the network,
or to localhost.

> That's what things like key-only authentication, port knocking, and
> rate limiting are for. Any one of the three cuts brute force attacks
> off at the knees. With a port knock setup attackers can't even see a
> daemon until you enable it from remote. Keys make password guessing
> irrelevant, and rate limiting frustrates the hell out of anyone trying
> to guess passwords. Having to wait minutes between guesses makes them
> move on pretty quick.
> 

I'll probably look into port knocking eventually.  Right now I have to
get the rest of the services I had running on my Debian box migrated
over first, then I can look at improving.  I have a web server, dns and
other family intranet related stuff I need to take care of first.

> If I understand correctly... ouch! Allowing *any* direct root login from
> remote is a bad idea, if for no other reason that it being the one
> account an attacker can be sure actually exists. Cuts brute force time
> exponentially. Better to allow direct access to an "admin" account with
> sudo privileges. Make it a nonsensical user like 4garzelflop7 if you're
> paranoid. Remember that brute force means guessing the user and
> password combination, not just the password.

Oh heck no, I don't allow direct root logins from the internet!  But I
like your idea about the nonsensical user.  I'll file that one away.


-- 
Arthur H. Johnson II <arthur at johnsonfamilymi.us>

More information about the ubuntu-users mailing list