Sandal6823@sh.itjust.works to Linux@lemmy.ml · edit-21 年前Why disable ssh login with root on a server if I only log in with keys, not password?message-squaremessage-square79linkfedilinkarrow-up1106arrow-down14file-text
arrow-up1102arrow-down1message-squareWhy disable ssh login with root on a server if I only log in with keys, not password?Sandal6823@sh.itjust.works to Linux@lemmy.ml · edit-21 年前message-square79linkfedilinkfile-text
On a server I have a public key auth only for root account. Is there any point of logging in with a different account?
minus-squareWheelchairArtist@lemmy.worldBannedlinkfedilinkarrow-up3·1 年前that’s why root owns my .bash* stuff
minus-squareSavvyWolf@pawb.sociallinkfedilinkEnglisharrow-up1arrow-down1·1 年前I don’t think that actually works; the attacker could just remove .bashrc and create a new file with the same name.
minus-square2ndSkin@sh.itjust.workslinkfedilinkarrow-up6arrow-down2·1 年前If the .bashrc is immutable, the attacker can’t remove it. That’s how it works.
minus-squareSavvyWolf@pawb.sociallinkfedilinkEnglisharrow-up2arrow-down2·1 年前The home directory would need to be immutable, not bashrc.
minus-square2ndSkin@sh.itjust.workslinkfedilinkarrow-up4·edit-21 年前? It’s .bashrc, not bashrc, and .bashrc is in the home directory. If .bashrc is immutable, it can’t be removed from home.
minus-squareSavvyWolf@pawb.sociallinkfedilinkEnglisharrow-up1·1 年前It’s the directory that needs to be writable to delete files, not the file itself. Although the immutable bit (if that’s what you’re talking about - I thought you meant unsetting the write bit) might change that, I’m not sure.
minus-squareWheelchairArtist@lemmy.worldBannedlinkfedilinkarrow-up2arrow-down1·1 年前you’re right. that’s something i wanted to look into. guess setfacl would do the trick?
minus-squareMagiilaro@feddit.orglinkfedilinkarrow-up2·1 年前“chattr +i” is what I use to make things immutable
minus-squareMagiilaro@feddit.orglinkfedilinkarrow-up0·1 年前I made a small mistake in my last post It is “chattr +i” to make immutable and “chattr -i” to remove immutability. sets an attribute and - removes the attribute
that’s why root owns my .bash* stuff
I don’t think that actually works; the attacker could just remove .bashrc and create a new file with the same name.
If the .bashrc is immutable, the attacker can’t remove it.
That’s how it works.
The home directory would need to be immutable, not bashrc.
?
It’s .bashrc, not bashrc, and .bashrc is in the home directory.
If .bashrc is immutable, it can’t be removed from home.
It’s the directory that needs to be writable to delete files, not the file itself.
Although the immutable bit (if that’s what you’re talking about - I thought you meant unsetting the write bit) might change that, I’m not sure.
you’re right. that’s something i wanted to look into. guess setfacl would do the trick?
“chattr +i” is what I use to make things immutable
thanks
I made a small mistake in my last post It is “chattr +i” to make immutable and “chattr -i” to remove immutability.