* Mario Ohnewald wrote on Mon, Jan 20, 2003 at 09:41 +0100:
If you login as root someone can get your passwd and login and get full controll over your server.
I do not understand why that.
The next thing can be a brute-force attack (login as root and look passwords from e.g. a database).
This works for user accounts also, and for su. Do you think that it increases security to need two passwords? Then you'd think about SSH-Keys for authorisation instead of passwords.
Locally logins are insecure in the way inexperianced users may alter the system by misconfiguring or deleting needed files.
inexperienced roots are insecure, no matter how they log in I think.
I meat why login as a user and THEN do su is more secure than login in directly as root.
I don't see why this should be better. Well, and if someone get's a user account on the server, there are more chances to get root by some missed local exploit or such. On servers, IMHO there should no user except root have a valid password, remotely only SSH is possible without password authentication. Security depends also on the needed protection. Some someone this may be enough, someone other just wanted to do only console login with chip cards as authentication token. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.