From owner-freebsd-audit  Fri Aug 31  4:38: 2 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from ida.interface-business.de (ida.interface-business.de [193.101.57.9])
	by hub.freebsd.org (Postfix) with ESMTP
	id ADFA237B401; Fri, 31 Aug 2001 04:37:55 -0700 (PDT)
Received: (from j@localhost)
          by ida.interface-business.de id f7VBbn777148;
          Fri, 31 Aug 2001 13:37:49 +0200 (MET DST)
Date: Fri, 31 Aug 2001 13:37:49 +0200
From: Joerg Wunsch <j@ida.interface-business.de>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: audit@FreeBSD.ORG, security@FreeBSD.ORG
Subject: Re: why does telnetd run as root?
Message-ID: <20010831133749.H76749@ida.interface-business.de>
Reply-To: Joerg Wunsch <joerg_wunsch@interface-systems.de>
References: <20010830201102.O69247@ida.interface-business.de> <200108301817.f7UIHNa66577@khavrinen.lcs.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200108301817.f7UIHNa66577@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, Aug 30, 2001 at 02:17:23PM -0400
X-Phone: +49-351-31809-14
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E
Organization: interface systems GmbH, Dresden
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

As Garrett Wollman wrote:

> <<On Thu, 30 Aug 2001 20:11:02 +0200, Joerg Wunsch <j@ida.interface-business.de> said:
> 
> > But then, it's IMHO much safer to run telnetd as user
> > `daemon', and have login(1) allow user daemon to pass -h.
> 
> Only works for cleartext password authentication.

Not really, but you're right, it doesn't work for SRA telnet.  It
works for anything that can be handled by /usr/bin/login, i just
tried OPIE which does well.

Still, allowing this as an option seems useful to me.  (If i want
encryption, i'll use ssh anyway.  Telnet is only a fallback if no
encryption is available for whatever reason.  It is very unlikely i'll
find a client that could do SRA telnet but could not do ssh.)

-- 
J"org Wunsch					       Unix support engineer
joerg_wunsch@interface-systems.de        http://www.interface-systems.de/~j/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message