[10246] in bugtraq
Re: RH Linux telnet problems
daemon@ATHENA.MIT.EDU (Jamie Lawrence)
Fri Apr 16 16:40:27 1999
Date: Thu, 15 Apr 1999 16:27:33 -0700
Reply-To: Jamie Lawrence <jal@THIRDAGE.COM>
From: Jamie Lawrence <jal@THIRDAGE.COM>
X-To: Rui Ribeiro <ruka@MY-DEJANEWS.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <KOFFINHPJKKLBAAA@my-dejanews.com>
At 03:30 AM 4/15/99 -0800, Rui Ribeiro wrote:
>Today, when trying to log into a machine, I mistakenly used telnet over ssh.
>True, the RH 5.2 box is configured for not allowing root login. The only
>problem is that is still asks for the password after learning root is
>logging. It denied access only after the password was introduced.
>
>It should issue a error and not ask for the password, since otherwise it's
>defeating the whole purpose of denying root telnet access. The purpose, of
>course, it's preventing the raw transmission over the communication media.
Sniffing the wire is only part of the reason for disallowing
root login.
Other good reasons to make a user authenticate as a non privileged
user first:
- Prevent remote brute force attacks on the root password
- Provide more of an audit trail to attempted root logins
- Require two password compromises instead of one.
I agree, though, that not asking for the password would be better.
I don't know of a telnet daemon that does this, however.
-j
