Date: Fri, 14 May 1999 22:32:14 -0700 From: "Robert Sowders" <rsowders@usgs.gov> To: dmr@fc.edu, gunnar@pluto.sr.se, flygt@sr.se Cc: freebsd-questions@FreeBSD.ORG Subject: Re: problems with su command Message-ID: <s73ca478.067@usgs.gov>
next in thread | raw e-mail | index | archive | help
I'll try to give you a more complete answer and a solution for the =
security=20
problems of remote root logins.
To enable root login from anywhere edit your /etc/ttys file like this:
ttyp0 none network on secure
SECURITY WARNING!!!!
The above instructions are not recommended for several security=20
reason, the least of which is root passwords flying around the
network for anyone to sniff.
A saner way to do things is to install ssh and make sure your=20
/usr/local/etc/sshd_config file has the line=20
PermitRootLogin yes
This will give you encrypted logins and sessions.
Much safer and lots more way cool.
If you want to su root then you must be a member of the wheel group.
edit /etc/group and include your login user name in the wheel group
like this:
wheel:*:0:root,your_name_here
make sure there is no trailing comma
While I'm on my security soap box, here are some good practices,
Never login as root, especially remotely. If you su root after you login
then that fact is recorded in /var/log/messages. If you never log in =
as=20
root then any lines in the message file indicating a root login will be=20
easy to spot.
If you login as root all the time then you may be tempted to execute=20
programs as root, which can be a big problem at times. Trojans come
to mind right off.
Remember, if you have to administer remotely use a secure shell like=20
ssh and while your at it install tcp_wrappers and deny logins from
everywhere except your remote machine.
Necessity never made a good bargain.
Benjamin Franklin
1706-1790
>>> Gunnar Flygt <gunnar@pluto.sr.se> 5/14/99 9:38:19 AM >>>
On Fri, May 14, 1999 at 06:20:56PM +0200, David M. Redmond wrote:
>=20
> I have a question to which I cannot seem to find the answer anywhere...
>=20
> I have inherited a FreeBSD 2.1.0 (GENERIC) #0 UNIX box. It has been
> running fine for a long time (since 1995). The problem is that I can =
login
> as root on the server console, but nowhere else. I cannot login as root
> through telnet nor can I login as another user and su to root. It =
simply
> says Sorry.
You shouldn't log in as root directly with telnet! And to be able to su
to root when logged in as someone else, you have to put `someone else`
in the group wheel
Good luck!
>=20
> This would not be a problem except that since I have to do all root
> operations from the console, 1) I must be at the server and 2) I have to
> keep putting up with console messages that are displayed.
>=20
> If someone could tell me what permissions and/or configuration files =
need
> to be examined, I would be very appreciative.
>=20
> Thanks (in advance).
> Mr. D. M. Redmond
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org=20
> with "unsubscribe freebsd-questions" in the body of the message
--=20
__o
regards, Gunnar ---_ \<,_
email: flygt@sr.se ---- (_)/ (_)
To Unsubscribe: send mail to majordomo@FreeBSD.org=20
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?s73ca478.067>