On Tue, 19 Jan 1999, Aaron Blair wrote:
> > On Mon Jan 18 1999 at 21:52, [EMAIL PROTECTED] wrote:
> >
> > > I was wondering, why it is that in redhat linux you cannot
> > do a telnet login
> > > directly as root. what would make it so that you cannot
> > log in as root
> > > directly on telnet ? I am very curious to see how this
> > mechanism works, i f
> > > anyone has any suggestions .. thanx in advance
> >
> > It's a security issue. Any privileged login from anywhere other than
> > the local console is a high security risk.
>
> What if you don't have local access to your own box?
>
> > The way this should be done is to telnet in as an ordinary user, then
> > su to root from there.
>
> How is that any more secure than than logging in as root to begin with?
>
> > It is possible to connect directly as root from a network connection
> > with ssh, but that's another issue.
>
> 99% of system crackers never log in directly as root anyway. Rather they log
> in as a non-privilaged user and go from there.
>
> Don't get me wrong, I've always made it prudent to not log in as root
> directly, but I'm really curious as to why this would be such a bad thing?
> What is the major security risk in logging in directly or logging in as a
> non-privilaged user and then su-ing?
Remember that the Internet is wide open for anyone who wants to look at
the packets transmittet, and that it doesn't take a lot of cpu power to
check out the initial login dialog and get your password.
Grabbing that same password from your su command takes a lot more cpu
power, but with standard pc's being what they are, still possible.
If you want some sort of security, I'd suggest ssh, that can also be used
for securing must other protocols that use cleartext passwords such as eg.
pop-*.
--
Henrik Olsen, Dawn Solutions I/S
URL=http://www.iaeste.dk/~henrik/
Get the rest there.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
