From owner-freebsd-questions Thu Mar 12 08:42:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA14483 for freebsd-questions-outgoing; Thu, 12 Mar 1998 08:42:28 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from prepaid.atlas.com (atlas-233.atlas.com [206.29.170.233]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA14470 for ; Thu, 12 Mar 1998 08:42:14 -0800 (PST) (envelope-from Brian_Beattie@Atlas.com) Received: from coyote.prepaid.atlas.com(really [10.16.7.71]) by prepaid.atlas.com via sendmail with smtp id for ; Thu, 12 Mar 1998 08:41:33 -0800 (PST) (Smail-3.2 1996-Jul-4 #1 built 1998-Jan-29) Date: Thu, 12 Mar 1998 08:40:58 -0800 (PST) From: Brian Beattie X-Sender: Brian_Beattie@coyote.prepaid.atlas.com To: Leif Neland cc: freebsd-questions@FreeBSD.ORG Subject: Re: How do you assign the ROOT user to be able to access via TELNET? In-Reply-To: <634_9803120015@swimsuit.swimsuit.roskildebc.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 11 Mar 1998, Leif Neland wrote: > At 11 Mar 98 10:28:26 Greg Lehey wrote regarding Re: How do you assign the ROOT > user to be able to access via TELNET? > > GL> You log in as yourself, and then use su to become root. All > GL> else is such an enormous security hole that you don't even want > GL> to think about it. > > Why, really? > > What's the difference between getting the rootpassword sniffed at > login, and when su'ing? Other than the sniffer probably need to snif both your > normal password, and the rootpassword, if he doesn't have one himself and are > in group wheel. > > There are a number of reasons for not logging in as root. I'm not sure any single one is compelling. Protection from sniffing is not one of them. One is that it then requires the hacker to guess/steal two passwords. Another is that it provides a better trail to determine who made changes to the system if the fault was unintentional, or you have secure logs. A final one is that it encourges useing "least privilege", i.e. using the least amount of "force" required to get the job done. I'm sure I could come up with others but the bottom line is that it is good pratice for various reasons. Note: that if I can sniff packets from your network, and passwords are in the clear, I very likely have complete access to every host on that network. Brian Beattie Atlas PrePaid Services Brian_Beattie@atlas.com 503.228.1400x4355 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message