Having used webmin early on (when it stored passwords in plaintext on the filesystem, and other bad things) and considering that the default is not ssl encrypted, verses OpenSSH (and having spent some time talking with Marcus) I can't see anyone sane using webmin over ssh unless they truly refuse to learn the command line. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ ----- Original Message ----- From: "Ralf Ronneburger" <ralf@ronneburger.de> To: "suse-security" <suse-security@suse.com> Sent: Wednesday, January 09, 2002 1:57 PM Subject: Re: [suse-security] remote admin: ssh vs. webmin
Hi Matt,
no mater which way you choose - it'll never be completely secure as long as the box is on the internet. Make sure, that you're logging into the right machine (you should know the RSA1 key fingerprint) and log in as a normal user, do as much as you can with this account and su to root if you have to. If your giving some special user more privileges then you can use root right away - a cracker will have enough priviliges either way (manipulate config-files, starting network-services).
Best regards,
Ralf Ronneburger
Matt Hubbard wrote:
List,
I know that I shouldn't log in remotely as root via ssh, but how can I start/stop networking daemons or manipulate config files in the /etc without this level of access? Should I use something like webmin instead? Can I create a user that has write privileges in the /etc directory and should this user be capable of starting /stopping network daemons? Just looking for direction on this subject.
Thanks,
Matt Hubbard
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com