From owner-freebsd-questions Thu Nov 8 12:14:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id 324E237B416 for ; Thu, 8 Nov 2001 12:14:16 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA8KDU161463; Thu, 8 Nov 2001 21:13:30 +0100 (CET) Message-ID: <00a101c16891$ee108050$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Kutulu" , References: <15330.6606.417524.41024@guru.mired.org><002b01c1635f$5a5f4300$0a00000a@atkielski.com> <15330.14419.809266.281360@guru.mired.org> <007e01c1636e$97016d10$0a00000a@atkielski.com> <20011108021537.E79276@hades.hell.gr> <002801c1682c$818807b0$0a00000a@atkielski.com> <20011108102356.B10218@pr0n.kutulu.org> Subject: Re: Re[2]: Tiny starter configuration for FreeBSD Date: Thu, 8 Nov 2001 21:14:04 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Can telnet be secured for guest accounts by specifying a shell that really isn't a shell, e.g., a custom-written program that provides no shell-like command access? ----- Original Message ----- From: "Kutulu" To: "Anthony Atkielski" Cc: "Giorgos Keramidas" ; Sent: Thursday, November 08, 2001 16:23 Subject: Re: Re[2]: Tiny starter configuration for FreeBSD > On Thu, Nov 08, 2001 at 09:08:08AM +0100, Anthony Atkielski wrote: > > Giorgos writes: > > > > > I let people login as normal users on my workstation > > > from places like New Zealand, Australia or Canada ... > > > > Via telnet or SSH? > > > > Is there any danger in allowing telnet login of unprivileged users on a system, > > apart from the possibility of compromise of the user's own account? That is, > > There is a danger in letting *any* users log into a system. There are typically > many more ways to exploit programs if you have a local account and can execute > commands, than if you were limited to what packets could get past the various > levels of router/firewall/closed sockets that can drop remote traffic. > > It's also unfortunately the case that, quite often, admins > tend to lag behind in fixing 'local exploit' problems because they tend not to > trigger things like IDS or firewall systems, and don't get as much 'peer press' > as remote exploits. > > This doesn't mean not to allow anyone on your machine ever, but it is a good > argument against letting "everyone" on your machine, as in your anonymous > guest account. And, of course, it means you will have to be that much more > secure and vigilant with your system. > > > --K > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message