From owner-freebsd-current@FreeBSD.ORG Wed Mar 25 11:25:21 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36469106566C for ; Wed, 25 Mar 2009 11:25:21 +0000 (UTC) (envelope-from barney_cordoba@yahoo.com) Received: from web63905.mail.re1.yahoo.com (web63905.mail.re1.yahoo.com [69.147.97.120]) by mx1.freebsd.org (Postfix) with SMTP id D0BFB8FC13 for ; Wed, 25 Mar 2009 11:25:20 +0000 (UTC) (envelope-from barney_cordoba@yahoo.com) Received: (qmail 12334 invoked by uid 60001); 25 Mar 2009 11:25:20 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1237980320; bh=MIn/Msu7rDJugtfUqHxtpEV1Kpz7Vrs1vzk6xsUWf3o=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=PwejEB1W7MINXxETHQ6i71F6cJWPctY+8aEir1GX/wpuqoBoo/FMVGr4hbY3XbVBNvz27YmfJLd8wrkiRxISJfaxQnFvi1ElyGXIu8c67SyxlTPV9ikq+r2vUdcYAeTMuf7lLkbiB1qHKZp6NAaF+jlA9pCz0oY50GLJfKXgz6g= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=jxqX/fSY2nSs3JV74+xvkrf10LjX0oWoqat6Jp8KLHQNXQHMge/ucUvcrA8BLMYhS2f5UdGdYJHYXtP4WxZDWpRyI+rRouM6tUP4ZtsMZrLtl0iA4ydUzRWGt9s2pW+fV7JgRtJ43TP4/Hb+qZGhUA1EcPCMjeokWCKDzasEClo=; Message-ID: <995845.90009.qm@web63905.mail.re1.yahoo.com> X-YMail-OSG: D2VwsxwVM1nsHqqYfkgSlehD.Rq.7qFJlIscJ84akQCLbkGt7tS5woI.EX0YmN_h3B0_NzMmmEma2QZJ2T9QkFGSwmSlhXnUHsFHxixJQo7IrU0OzmAptt6nW5VaC6kq_6wanPK6TskFltJRP1VFxiyYs2hLSoUlJ9bVhDNcs2iXwkDC1NBDpQ7olNDJTQc_nsctZ3SJRvolAcCmql.RilBFGK0l4gIHTtI- Received: from [98.242.222.229] by web63905.mail.re1.yahoo.com via HTTP; Wed, 25 Mar 2009 04:25:19 PDT X-Mailer: YahooMailWebService/0.7.289.1 Date: Wed, 25 Mar 2009 04:25:19 -0700 (PDT) From: Barney Cordoba To: Chuck Robey , Ruben de Groot In-Reply-To: <20090325095324.GB48145@ei.bzerk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: current@freebsd.org Subject: Re: Telnet root login X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: barney_cordoba@yahoo.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 11:25:21 -0000 --- On Wed, 3/25/09, Ruben de Groot wrote: > From: Ruben de Groot > Subject: Re: Telnet root login > To: "Chuck Robey" > Cc: barney_cordoba@yahoo.com, current@freebsd.org > Date: Wednesday, March 25, 2009, 5:53 AM > On Tue, Mar 24, 2009 at 08:56:28PM -0400, Chuck Robey typed: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Barney Cordoba wrote: > > > How do you enable root telnet access in current? > I remember having some > > > issue with specifying pty/0 in ttys years ago in > linux but the right > > > way to do it excapes me. > > > > I really wouldn't do that. If you have to get > external root access, use ssh, > > but if you haven't been broken into yourself, > it's FAR more likely that you just > > haven't seen it, than it hasn't happened. You > don't want to allow folks into > > your machine, there isn't any such thing as honor > among those folks. > > Sound advice, but not an answer to his question. > Barney, you have to make the network pseudo ttys secure, > like: > > ttyp0 none network secure > > Ruben Yes, the "its not a good idea" is dependent on whatever other security you have in place. Having to log in twice to a test machine on a secure internal network is an unnecessary annoyance. The concept that every FreeBSD box in existence is publically accessible is one of those ASSumptions that people should leave at the door. Ruben, the method you cite no longer works in -current as they've changed things once again (which happens way too often when your CEOs are a bunch of bearded academics :) I'm not sure if its the pty (the login terminal shows as pty/0 and no longer ttyp0), or if its some PAM thing. Its rather annoying. Such things as pty/0 none network secure pty0 none network secure equally don't work. And I see no mention in any document as to how it would be achieved with the current Barney