From owner-freebsd-security Tue Jul 25 7:36:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id 970AC37B6A6 for ; Tue, 25 Jul 2000 07:36:32 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id QAA24394; Tue, 25 Jul 2000 16:41:15 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Date: Tue, 25 Jul 2000 16:41:03 +0200 (CEST) From: Bart van Leeuwen To: James Wyatt Cc: Jean-Claude STAQUET , freebsd-security@freebsd.org Subject: Re: allow access of root user In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uhm, telnetting in as a user and suing to root has exactly the same danger, your password goes over the net in plaintext. If you want to prevent that consider using ssh instead. Also note that when using rsh you prevent root from logging in for interactive access, but an rsh -l root will still work. To be honest, I never really saw the point of disallowing this except for the simple good habit of never using the root account at all, and only becomming superuser when you really really have to. Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- On Tue, 25 Jul 2000, James Wyatt wrote: > On Tue, 25 Jul 2000, Jean-Claude STAQUET wrote: > > How do you allow remote login on a freebsd system ? > > I'm able to login as root on the freebsd console itself but not from > > another machine. > > Warning: allowing root to directly log in via telnet is very risky. It > exposes your root password to sniffing anywhere along the IP path, > provides almost no trace of *who* logged in as root, and lets casual > errors become more common. (folks get lazy about being root) > > > That said: Root logins for telnetd and login are controlled by /etc/ttys > (see 'man ttys') and adding 'secure' to the 'ttyp' lines (like the 'ttyv' > lines) will allow root to login directly. Please try to avoid doing that! > > The traditional way to become root remotely is to log in as a 'normal' > user with that user's password (usually in the suaccess or wheel groups) > and use 'su' (see man 'su') command to become root. Only users with both > passwords are allowed to do 'powerful things'. Root password can still be > sniffed, but only if whole sessions are sniffed and recorded. Simple > password gatherers like Linsniffer won't work. > > Check-out 'sudo' in the packages (or ports) tree. It is still vulnerable > to linsniffer since the same password is used, but you can limit commands > that run as root for the user to things like backups and shutdown scripts. > > > Best way, IMHO, is to use ssh (or better yet, OpenSSH) to provide > encrypted root logins. There is an option to allow root logins with it > directly. This requires you to install OpenSSH (see ports tree) on the > hosts you want to control and some kind of ssh client on the machine(s) > you want to log in from. (There are several for Windows and Unix. If it's > another FreeBSD machine, you can just use OpenSSH again.) If you consider > using 'ssh2', read the license carefully. > > > Sorry for a long reply to a short question, but you *really* need to > balance your risks of password sniffing and power of root access. If your > hosts are next to each other on isolated switches, maybe root telnets are > OK. If you are dialing-up over quite a distance and are a good target for > attacks, install OpenSSH or ssh. > > Hope this helps - Jy@ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message