Date: Fri, 27 Jan 95 10:47:12 MST From: terry@cs.weber.edu (Terry Lambert) To: dlangley@crl.com (Doug Langley) Cc: questions@FreeBSD.org Subject: Re: su'ing to root Message-ID: <9501271747.AA29460@cs.weber.edu> In-Reply-To: <199501270739.AA05198@crl8.crl.com> from "Doug Langley" at Jan 26, 95 11:39:53 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > What needs to be changed before I can su to root over the net? It should work now, as long as the user doing the su'ing is a member of group wheel. If you meant to allow root login via telnet, you must tag all of the network pty's as "secure" in /etc/ttys. This is a security risk, so it is not done by default. If you meant to allow root login via rlogin/rsh/rcp/etc., the vouchafe authentication for root is different than it is for other users. You must make the telnet change, *plus* you must add appropriate entries to "root"'s .rhosts file (by default, "root"'s home directory is "/root", not "/". This can confuse things for you if you try this approach). I am unsure whether root rlogin demands a root password in all cases or not (as an addition security measure). If so, this will require that you modify ruserok() in libc and relink the daemons to make it happy. Actually, I hope it does not demand, but remember something about it doing it. I hope it does not, since there are several commercial remote backup facilities that will fail in this environment. It should be noted that almost any vouchsafe authentication (r-commands) can be compromised unless you firewall your local net, specifically port 53 for machines other than your gateway. Terry Lambert terry@cs.weber.edu --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9501271747.AA29460>