On Tue, Jun 15, 1999 at 04:59:33PM -0700, [EMAIL PROTECTED] wrote:
> you can do it with redhat, it's just disabled by default for security.
> which brings up the question...how much more secure is it? you can login as
> <user> run "su -" and be root. sure you have to know two passwords instead of
> one, but anybody doing that is probably cracking so the second isn't that much
> harder.
1. Two passwords > one even if the first one is easily obtained.
2. If you have a secure logging setup you can know which user account
did the su. Or you may not have su executable by users at all but
only sudo or another mechanism that logs more or restricts users.
(This is the best reason although the hardest to set up.)
3. You may well not have su o+x but 710 or so where only admins are
in a wheel group allowed to su. If those admins use good
passwords the root password becomes 96 bits strong instead of 48
as the first password is not so easily obtained.
4. If root can login over telnet then you can run a dictionary
attack against root's password. This will be slowed down
several orders of magnitude by any decent login program, but
it still leaves the opening.
5. If root can login over telnet then root's password is going out
in clear text on the network, which any sensible admin would try
to avoid anyway, so why allow it?
Any distro allowing direct root network logins by telnet or ftp
out of the box should be at best relegated straight to the desktop-
only category.
--
Rich Derr, sysadmin Have ssh, Will Telecommute
Web Design Group www.webdesigngroup.com TEL: +1 312 951 6688
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
