Fedora to (try to) remove setuid files for F15
Fedora to (try to) remove setuid files for F15
Posted Nov 8, 2010 9:25 UTC (Mon) by solardiz (guest, #35993)In reply to: Fedora to (try to) remove setuid files for F15 by dlang
Parent article: Fedora to (try to) remove setuid files for F15
It could be different criteria, but I've actually seen security compromises propagate from non-root to root due to use of su or sudo while also using the same non-root account for other purposes and/or logging in to it from more places.(*) I haven't seen any security compromises that I could attribute to SSH keypair reuse for root and non-root on the same target machine.
(*) I've also seen security compromises propagate from one server to another via scp/sftp/ssh invoked _from_ a server.
What specific major problem do you see with using the same SSH keypair for root and non-root on the same target system? I do see how using different keypairs - only with different and very strong private key passphrases - would potentially improve security a little bit if the "root keypair" is extremely rarely used. But that sounds like more of an exception than the typical case, especially when one has to co-administer many servers. There's simply no other sane choice than to accept some SSH keypair reuse. We typically opt to use one SSH keypair per person per target network or target project: