From owner-freebsd-security Tue Jul 25 8:38: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id D698937B667 for ; Tue, 25 Jul 2000 08:38:00 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2584 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 25 Jul 2000 10:32:21 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 25 Jul 2000 10:32:20 -0500 (CDT) From: James Wyatt To: Bart van Leeuwen Cc: Jean-Claude STAQUET , freebsd-security@freebsd.org Subject: Re: allow access of root user In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Bart van Leeuwen wrote: > Uhm, telnetting in as a user and suing to root has exactly the same > danger, your password goes over the net in plaintext. > [ Echo of original recommendation of using ssh ] > > To be honest, I never really saw the point of disallowing this except for > the simple good habit of never using the root account at all, and only > becomming superuser when you really really have to. > > Bart van Leeuwen > ----------------------------------------------------------- > mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ > ----------------------------------------------------------- Check out programs such as linsniffer. It catches telnet/ftp/pop passwords and does not catch 'su'-ing passwords. It only listens for known password areas in TCP sessions to allow it to hide on infected hosts. A sniffer to catch 'su' passwords is a *lot* harder to make and remain undetected. Using 'su' for root logins allows you to immediately exclude a suddenly untrusted (i.e. fired) user without changing your root password(s). Just remove them from the wheel group... Using 'su' and 'host.allow' in /etc/login.conf, you can allow root access from different locations without adding them to root's login.conf entry. This one is a bit contrived, but if anyone ever needed it, it's possible. Of course, users of sudo don't have sniffing protections, but most will forget their root password anyway. (I did. (^_^) More reason for ssh. I prefer ssh, but some folks can't use it. If you have a terminal server at your POP and dial-in because your INet port is down or attacked, then telnet is the only game. Secure that with switch ports and anti-spoofing filters. Some folks don't want to (or can't) install ssh clients on the machines they may have to connect from. Some don't know about cheap Windows clients. Some don't mind using the broken Windows telnet client. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message