[10245] in bugtraq
Re: RH Linux telnet problems
daemon@ATHENA.MIT.EDU (Dalvenjah FoxFire)
Fri Apr 16 16:40:25 1999
Date: Thu, 15 Apr 1999 12:31:11 -0700
Reply-To: Dalvenjah FoxFire <dalvenjah@DAL.NET>
From: Dalvenjah FoxFire <dalvenjah@DAL.NET>
X-To: Rui Ribeiro <ruka@my-dejanews.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <KOFFINHPJKKLBAAA@my-dejanews.com>; from Rui Ribeiro on Thu,
Apr 15, 1999 at 03:30:02AM -0800
On Thu, Apr 15, 1999 at 03:30:02AM -0800, Rui Ribeiro put this into my mailbox:
> Today, when trying to log into a machine, I mistakenly used telnet over
> ssh. True, the RH 5.2 box is configured for not allowing root login. The
> only problem is that is still asks for the password after learning root
> is logging. It denied access only after the password was introduced.
>
> It should issue a error and not ask for the password, since otherwise
> it's defeating the whole purpose of denying root telnet access. The
> purpose, of course, it's preventing the raw transmission over the
> communication media.
No, the purpose is to prevent someone who has the root password but not
a normal account password from logging into the machine as root directly.
While it's not a great layer of security, it does mean that the cracker
has to sniff/crack two passwords instead of just one to gain root access.
This is the same reason that most sane '/bin/su' programs require the
person doing '/bin/su -' to root to be in the 'root' or 'wheel' group.
These sort of restrictions were in place long before ssh or kerberos were
released.
-dalvenjah
--
Dalvenjah FoxFire (aka Sven Nielsen) "Command new weapons like dragons,
Founder, the DALnet IRC Network griffins, and eleven [sic] archers."
-MacMall WarCraft II ad
e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/
whois: SN90 Try DALnet! http://www.dal.net/
