Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Jan 95 10:47:12 MST
From:      terry@cs.weber.edu (Terry Lambert)
To:        dlangley@crl.com (Doug Langley)
Cc:        questions@FreeBSD.org
Subject:   Re: su'ing to root
Message-ID:  <9501271747.AA29460@cs.weber.edu>
In-Reply-To: <199501270739.AA05198@crl8.crl.com> from "Doug Langley" at Jan 26, 95 11:39:53 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> 
> What needs to be changed before I can su to root over the net?

It should work now, as long as the user doing the su'ing is a member of
group wheel.

If you meant to allow root login via telnet, you must tag all of
the network pty's as "secure" in /etc/ttys.  This is a security risk,
so it is not done by default.

If you meant to allow root login via rlogin/rsh/rcp/etc., the vouchafe
authentication for root is different than it is for other users.  You
must make the telnet change, *plus* you must add appropriate entries
to "root"'s .rhosts file (by default, "root"'s home directory is "/root",
not "/".  This can confuse things for you if you try this approach).

I am unsure whether root rlogin demands a root password in all cases or
not (as an addition security measure).  If so, this will require that you
modify ruserok() in libc and relink the daemons to make it happy.  Actually,
I hope it does not demand, but remember something about it doing it.  I
hope it does not, since there are several commercial remote backup
facilities that will fail in this environment.

It should be noted that almost any vouchsafe authentication (r-commands)
can be compromised unless you firewall your local net, specifically
port 53 for machines other than your gateway.


					Terry Lambert
					terry@cs.weber.edu
---
Any opinions in this posting are my own and not those of my present
or previous employers.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9501271747.AA29460>