From owner-freebsd-questions Fri Jan 27 09:53:14 1995 Return-Path: questions-owner Received: (from root@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id JAA23514 for questions-outgoing; Fri, 27 Jan 1995 09:53:14 -0800 Received: from cs.weber.edu (cs.weber.edu [137.190.16.16]) by freefall.cdrom.com (8.6.9/8.6.6) with SMTP id JAA23508 for ; Fri, 27 Jan 1995 09:53:10 -0800 Received: by cs.weber.edu (4.1/SMI-4.1.1) id AA29460; Fri, 27 Jan 95 10:47:12 MST From: terry@cs.weber.edu (Terry Lambert) Message-Id: <9501271747.AA29460@cs.weber.edu> Subject: Re: su'ing to root To: dlangley@crl.com (Doug Langley) Date: Fri, 27 Jan 95 10:47:12 MST Cc: questions@FreeBSD.org In-Reply-To: <199501270739.AA05198@crl8.crl.com> from "Doug Langley" at Jan 26, 95 11:39:53 pm X-Mailer: ELM [version 2.4dev PL52] Sender: questions-owner@FreeBSD.org Precedence: bulk > > What needs to be changed before I can su to root over the net? It should work now, as long as the user doing the su'ing is a member of group wheel. If you meant to allow root login via telnet, you must tag all of the network pty's as "secure" in /etc/ttys. This is a security risk, so it is not done by default. If you meant to allow root login via rlogin/rsh/rcp/etc., the vouchafe authentication for root is different than it is for other users. You must make the telnet change, *plus* you must add appropriate entries to "root"'s .rhosts file (by default, "root"'s home directory is "/root", not "/". This can confuse things for you if you try this approach). I am unsure whether root rlogin demands a root password in all cases or not (as an addition security measure). If so, this will require that you modify ruserok() in libc and relink the daemons to make it happy. Actually, I hope it does not demand, but remember something about it doing it. I hope it does not, since there are several commercial remote backup facilities that will fail in this environment. It should be noted that almost any vouchsafe authentication (r-commands) can be compromised unless you firewall your local net, specifically port 53 for machines other than your gateway. Terry Lambert terry@cs.weber.edu --- Any opinions in this posting are my own and not those of my present or previous employers.