|Wojciech Puchar||Mar 10, 2007 9:51 pm|
|Kevin Kinsey||Mar 10, 2007 10:05 pm|
|Beech Rintoul||Mar 10, 2007 10:38 pm|
|al...@schnarff.com||Mar 11, 2007 12:17 am|
|Wojciech Puchar||Mar 11, 2007 7:13 am|
|Wojciech Puchar||Mar 11, 2007 7:16 am|
|Garrett Cooper||Mar 11, 2007 7:31 am|
|Wojciech Puchar||Mar 11, 2007 7:41 am|
|Wojciech Puchar||Mar 11, 2007 7:41 am|
|Beech Rintoul||Mar 11, 2007 9:03 am|
|Christian Walther||Mar 11, 2007 9:43 am|
|Wojciech Puchar||Mar 11, 2007 10:07 am|
|Wojciech Puchar||Mar 11, 2007 10:08 am|
|Howard Jones||Mar 11, 2007 10:52 am|
|Wojciech Puchar||Mar 11, 2007 11:12 am|
|Howard Jones||Mar 11, 2007 11:28 am|
|Wojciech Puchar||Mar 11, 2007 12:41 pm|
|Sergio Lenzi||Mar 11, 2007 2:09 pm|
|Sergio Lenzi||Mar 11, 2007 2:22 pm|
|Wojciech Puchar||Mar 11, 2007 3:55 pm|
|Hugo Silva||Mar 11, 2007 4:19 pm|
|Hugo Silva||Mar 11, 2007 4:31 pm|
|Paul Schmehl||Mar 11, 2007 5:11 pm|
|Christian Walther||Mar 11, 2007 7:52 pm|
|Gerard Seibert||Mar 11, 2007 8:10 pm|
|Wojciech Puchar||Mar 11, 2007 8:46 pm|
|Sergio Lenzi||Mar 11, 2007 8:59 pm|
|Gerard Seibert||Mar 11, 2007 9:03 pm|
|Jeff Rollin||Mar 11, 2007 9:58 pm|
|Wojciech Puchar||Mar 11, 2007 10:31 pm|
|Wojciech Puchar||Mar 11, 2007 10:32 pm|
|Wojciech Puchar||Mar 11, 2007 10:39 pm|
|Sergio Lenzi||Mar 12, 2007 2:00 am|
|Wojciech Puchar||Mar 12, 2007 7:47 am|
|Sergio Lenzi||Mar 12, 2007 1:37 pm|
|Sergio Lenzi||Mar 12, 2007 1:39 pm|
|Chris Kottaridis||Mar 12, 2007 5:13 pm|
|Subject:||root login with telnetd|
|From:||Chris Kottaridis (chri...@quietwind.net)|
|Date:||Mar 12, 2007 5:13:43 pm|
On Sat, 2007-03-10 at 22:52 +0100, Wojciech Puchar wrote:
can it be set to make possible to login root to machine through telnet and without telneting to some user and then su - ?
with sshd and rshd it can be set, with telnetd - no success.
My reasons for this being a bad idea isn't so much from concerns about attack from outside, but it's more an issue of accountability.
When I ran a computing facility at a University we had some paid student assistance, as well as faculty, that were reasonably entitled to have the root password on various machines. Inevitably, the root password would find it's way to some other student or some faculty member's assistant and they'd get on the machine and do something as root. In all cases they were trying to help, but in getting the features they were interested in getting to work, they unknowingly mucked something else up.
We did not allow any "frontline" root logins so they had to sign in on one of the user's accounts and then su to root. Of course su logs this in the log files. So, we would take a look at the log files to see which users had su'd about the time the problem started occurring to ask them what they had done, or were trying to do. A couple of times that particular user was out of town and these machines weren't on the internet nor did they have a modem, so it was clear that user had given his account and root passwords to another person to work on their project when they were gone. By the way, faculty were the worst offenders at this. Some of them consider SysAdmin below them and would hand those tasks off to some student, but that's a whole different discussion.
Anyway, there was never anything nefarious going on, but having root accesses logged in the log files was very helpful in allowing us to build a history of what might have been done on the machine, and who did it, to cause the failure. If you allow "front line" logins via telnet and friends you won't have that accountability, because you'll have no idea who it may have been that logged in so you can't ask them what they might have been up to. By the way once everyone involved realized that we weren't going to take them out back and have some thugs beat them up for giving out the root passwords everyone was very helpful and we got things fixed much faster then we would have if we had tried to blindly figure things out on our own.
By the way, restricting su to wheel group is something I've always liked about the BSD's. Again, it helps with the accountability factor on a machine. I was flabbergasted when I first logged into a Linux box and created a user and then su'ed to root from that user without ever adding him to a "wheel" type group, I think Linux has a "root" group. This doesn't really apply to this topic that much, but it irks me so much, that Linux allows just any old user to su, I just wanted to vent a little bit about it. Maybe they do it in a different way that I just haven't needed to figure out yet.
So, I would argue that you really don't want to allow "frontline" logins not so much for security reasons as for accountability reasons.
Thanks Chris Kottaridis (chri...@quietwind.net)