From owner-freebsd-questions@FreeBSD.ORG Mon Mar 12 17:14:00 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C342F16A403 for ; Mon, 12 Mar 2007 17:14:00 +0000 (UTC) (envelope-from chriskot@quietwind.net) Received: from creto.quietwind.net (creto.quietwind.net [71.39.149.34]) by mx1.freebsd.org (Postfix) with ESMTP id 76D6313C45E for ; Mon, 12 Mar 2007 17:14:00 +0000 (UTC) (envelope-from chriskot@quietwind.net) Received: from creto.quietwind.net (localhost.quietwind.net [127.0.0.1]) by creto.quietwind.net (8.13.1/8.13.1) with ESMTP id l2CGfHiO028328 for ; Mon, 12 Mar 2007 09:41:17 -0700 (MST) (envelope-from chriskot@quietwind.net) Received: (from chrisk@localhost) by creto.quietwind.net (8.13.1/8.13.1/Submit) id l2CGfDAJ028327 for questions@freebsd.org; Mon, 12 Mar 2007 09:41:13 -0700 (MST) (envelope-from chriskot@quietwind.net) X-Authentication-Warning: creto.quietwind.net: chrisk set sender to chriskot@quietwind.net using -f From: Chris Kottaridis To: questions@freebsd.org In-Reply-To: <20070310224946.K10353@chylonia.3miasto.net> References: <20070310224946.K10353@chylonia.3miasto.net> Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Mon, 12 Mar 2007 09:41:12 -0700 Message-Id: <1173717672.792.62.camel@creto.quietwind.net> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port Cc: Subject: Re: root login with telnetd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: chriskot@quietwind.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2007 17:14:00 -0000 On Sat, 2007-03-10 at 22:52 +0100, Wojciech Puchar wrote: > can it be set to make possible to login root to machine through telnet and > without telneting to some user and then su - > ? > > with sshd and rshd it can be set, with telnetd - no success. > My reasons for this being a bad idea isn't so much from concerns about attack from outside, but it's more an issue of accountability. When I ran a computing facility at a University we had some paid student assistance, as well as faculty, that were reasonably entitled to have the root password on various machines. Inevitably, the root password would find it's way to some other student or some faculty member's assistant and they'd get on the machine and do something as root. In all cases they were trying to help, but in getting the features they were interested in getting to work, they unknowingly mucked something else up. We did not allow any "frontline" root logins so they had to sign in on one of the user's accounts and then su to root. Of course su logs this in the log files. So, we would take a look at the log files to see which users had su'd about the time the problem started occurring to ask them what they had done, or were trying to do. A couple of times that particular user was out of town and these machines weren't on the internet nor did they have a modem, so it was clear that user had given his account and root passwords to another person to work on their project when they were gone. By the way, faculty were the worst offenders at this. Some of them consider SysAdmin below them and would hand those tasks off to some student, but that's a whole different discussion. Anyway, there was never anything nefarious going on, but having root accesses logged in the log files was very helpful in allowing us to build a history of what might have been done on the machine, and who did it, to cause the failure. If you allow "front line" logins via telnet and friends you won't have that accountability, because you'll have no idea who it may have been that logged in so you can't ask them what they might have been up to. By the way once everyone involved realized that we weren't going to take them out back and have some thugs beat them up for giving out the root passwords everyone was very helpful and we got things fixed much faster then we would have if we had tried to blindly figure things out on our own. By the way, restricting su to wheel group is something I've always liked about the BSD's. Again, it helps with the accountability factor on a machine. I was flabbergasted when I first logged into a Linux box and created a user and then su'ed to root from that user without ever adding him to a "wheel" type group, I think Linux has a "root" group. This doesn't really apply to this topic that much, but it irks me so much, that Linux allows just any old user to su, I just wanted to vent a little bit about it. Maybe they do it in a different way that I just haven't needed to figure out yet. So, I would argue that you really don't want to allow "frontline" logins not so much for security reasons as for accountability reasons. Thanks Chris Kottaridis (chriskot@quietwind.net)