From: Arno on
jny0 <jny0(a)hotmail.com> wrote:
> I'm installing fedora12. I run the CD, which gives me the option to
> log-in as liver system user. I then lick on the Install to Hard Drive
> icon, which begins the installation procedure. After setting up a
> couple of settings (location, etc) I'm asked to enter a root
> password. I enter it, and continue the installation. Oncompletion, I
> restart the computer, and am prompted to set up a user account. I
> then log in with the user account, as this is the only option
> available. When I then try to login as root (through a terminal), I
> keep being told that there's authentication failure. I know the
> password is correct, and have gone though this process many time now.
> Any ideas?

Some people think that log-in as root is a security risk.

I have been active in the security field for quite some time,
and I still do not follow the reasoning behind this. In fact,
it strikes me as the wrong thing to do, because at least I
am far more careful with my root accounts than with the
user accounts and to create that mind-set reliably, I need
an original root log-in. I also believe allowing ssh
remote root log-in causes less risk than denying it and
going the su way.

That said, Fedore12 does not agree and forces you to
log in as user and then do a su.

Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno(a)wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
From: The Natural Philosopher on
Arno wrote:
> jny0 <jny0(a)hotmail.com> wrote:
>> I'm installing fedora12. I run the CD, which gives me the option to
>> log-in as liver system user. I then lick on the Install to Hard Drive
>> icon, which begins the installation procedure. After setting up a
>> couple of settings (location, etc) I'm asked to enter a root
>> password. I enter it, and continue the installation. Oncompletion, I
>> restart the computer, and am prompted to set up a user account. I
>> then log in with the user account, as this is the only option
>> available. When I then try to login as root (through a terminal), I
>> keep being told that there's authentication failure. I know the
>> password is correct, and have gone though this process many time now.
>> Any ideas?
>
> Some people think that log-in as root is a security risk.
>
> I have been active in the security field for quite some time,
> and I still do not follow the reasoning behind this. In fact,
> it strikes me as the wrong thing to do, because at least I
> am far more careful with my root accounts than with the
> user accounts and to create that mind-set reliably, I need
> an original root log-in. I also believe allowing ssh
> remote root log-in causes less risk than denying it and
> going the su way.
>
> That said, Fedore12 does not agree and forces you to
> log in as user and then do a su.
>
> Arno
I think the reasoning is that typouing su <command> is less likely to
destroy a system than someone who forgets they are root and types
something deeply destructive like rm -r * whilst in /etc when they
thought they were in /home/user/myjunk

From: Doug Freyburger on
The Natural Philosopher wrote:
> Arno wrote:
>
>> Some people think that log-in as root is a security risk.
>>
>> I have been active in the security field for quite some time,
>> and I still do not follow the reasoning behind this. In fact,
>> it strikes me as the wrong thing to do, because at least I

One reason is the encryption used during login sessions is stronger than
the encryption used to establish sessions. If you want to snif a
network and crack it you're more able to do so at the point of the
weaker encrypton.

It turns out this is a very weak argument. Most cracks are done using
bugs in programs than by cracking passwords. Sniffing password is the
*result* of cracking not the method of cracking much of the time.

>> am far more careful with my root accounts than with the
>> user accounts and to create that mind-set reliably, I need
>> an original root log-in. I also believe allowing ssh
>> remote root log-in causes less risk than denying it and
>> going the su way.
>>
>> That said, Fedore12 does not agree and forces you to
>> log in as user and then do a su.
>
> I think the reasoning is that typouing su <command> is less likely to
> destroy a system than someone who forgets they are root and types
> something deeply destructive like rm -r * whilst in /etc when they
> thought they were in /home/user/myjunk

It's a valid disagreement. I wonder if Arno's security work makes him
more cautious with a root session. I've seen a lot of folks login as
root because that's how they login and they damage their hosts all the
time. I've seen folks specifically chose to login as root as Arno
describes and do just fine. But like NP I have ended up prefering the
su route. For that matter doing sudo a command at a time when root is
absolutely needed is even more careful and less likely to damage the
system. It's also a pain in the butt to handle directories that have
resticted permissions.
From: Nico Kadel-Garcia on
On Jul 7, 5:03 pm, Doug Freyburger <dfrey...(a)yahoo.com> wrote:
> The Natural Philosopher wrote:
> > Arno wrote:
>
> >> Some people think that log-in as root is a security risk.
>
> >> I have been active in the security field for quite some time,
> >> and I still do not follow the reasoning behind this. In fact,
> >> it strikes me as the wrong thing to do, because at least I
>
> One reason is the encryption used during login sessions is stronger than
> the encryption used to establish sessions.  If you want to snif a
> network and crack it you're more able to do so at the point of the
> weaker encrypton.
>
> It turns out this is a very weak argument.  Most cracks are done using
> bugs in programs than by cracking passwords.  Sniffing password is the
> *result* of cracking not the method of cracking much of the time.
>
> >> am far more careful with my root accounts than with the
> >> user accounts and to create that mind-set reliably, I need
> >> an original root log-in. I also believe allowing ssh
> >> remote root log-in causes less risk than denying it and
> >> going the su way.
>
> >> That said, Fedore12 does not agree and forces you to
> >> log in as user and then do a su.
>
> > I think the reasoning is that typouing su <command> is less likely to
> > destroy a system than someone who forgets they are root and types
> > something deeply destructive like rm -r * whilst in /etc when they
> > thought they were in /home/user/myjunk
>
> It's a valid disagreement.  I wonder if Arno's security work makes him
> more cautious with a root session.  I've seen a lot of folks login as
> root because that's how they login and they damage their hosts all the
> time.  I've seen folks specifically chose to login as root as Arno
> describes and do just fine.  But like NP I have ended up prefering the
> su route.  For that matter doing sudo a command at a time when root is
> absolutely needed is even more careful and less likely to damage the
> system.  It's also a pain in the butt to handle directories that have
> resticted permissions.

It's like unloading a gun before handing it to someone else. It forces
people to take an extra step, one they have to think about, before
using a very powerful and hazardous tool.
From: Matt Giwer on
On 07/05/2010 10:55 AM, jny0 wrote:
> I'm installing fedora12. I run the CD, which gives me the option to
> log-in as liver system user. I then lick on the Install to Hard Drive
> icon, which begins the installation procedure. After setting up a
> couple of settings (location, etc) I'm asked to enter a root
> password. I enter it, and continue the installation. Oncompletion, I
> restart the computer, and am prompted to set up a user account. I
> then log in with the user account, as this is the only option
> available. When I then try to login as root (through a terminal), I
> keep being told that there's authentication failure. I know the
> password is correct, and have gone though this process many time now.
> Any ideas?

Remote login as root is a bad idea for security reasons.

It is also a bad idea for a distribution to prevent people from doing dumb
things.

Ignore it and su?

--
The Jews should stay where they are. It is the Palestinians
who should go back to where they came from.
-- The Iron Webmaster, 4280
http://www.giwersworld.org/antisem/ Antisemitism a10
Thu Jul 8 03:17:32 EDT 2010