[Novalug] ssh as root ( beating a dead horse into the ground)

Michael Henry lug-user@drmikehenry.com
Wed Mar 7 06:52:24 EST 2012


On 03/06/2012 07:20 PM, Michael Quaintance wrote:
> The main reason for using sudo instead of logging in as root
> for this scenario is that $asshole on the internet has to find
> two things in order to be able to log into my box: username
> and password.

I haven't seen anyone mention OpenSSH's ``PermitRootLogin``
configuration option to control when and if to allow root to
login.  When ``PermitRootLogin`` is set to ``without-password``,
root may not login using a password; instead, root must provide
a private SSH key to login.  An attacker on the Internet will
not possess root's private key, which eliminates the concern
that the attacker know's root's account name.

> Also, for protecting against random stupidity on my
> part, if a command fails because my user account is not
> privileged enough, "sudo !!" will quickly allow me to repeat
> the same command as root without having to use line-editing
> commands. This is much better than being superuser and
> accidentally doing something you shouldn't.

For me, protection against my own random stupidity amounts to
knowing what's dangerous and being extra careful with those
dangerous tools.  For certain, having superuser powers makes
some commands more powerful.  But I regard the ``rm`` command
(for example) as dangerous whether I'm root or a regular user.

When I use ``sudo`` for a sequence of superuser commands, I find
that's it's just extra typing.  For me, it doesn't add much of a
safety belt.  I've never yet been saved from an accidental
invocation of a powerful command just because I've omitted the
``sudo``, since I'm already being careful because of the nature
of the operation I want to perform.  The "permission denied"
error is just an annoyance that is quickly fixed with ``sudo
!!`` (as you suggest) since I'm already certain of the command
before I hit Enter.

For me, the key is to avoid *staying* root for normal
activities, since it's very hard to maintain a "superuser" level
of care all the time.

It reminds me of my table saw.  Whenever I use it, I'm fully
aware that it's a powerful and dangerous tool.  I use the utmost
care and patience when I'm sawing.  But when the cut has been
made, I don't continue with nailing, gluing, sanding, etc., on
the saw's tabletop with the saw running.  I immediately turn the
saw off when I'm done with its dangerous power.

That's how my brain works; other people no doubt have different
ways of preventing superuser mistakes.

Michael Henry




More information about the Novalug mailing list