Re: problems with telnet

Tue, 15 Jun 1999 17:01:49 -0700 

ahhh. good reasons. the only one i had thought of was the dictionary attack.
thanks.
On 16-Jun-99 Rich Derr scribbled:
> On Tue, Jun 15, 1999 at 04:59:33PM -0700, [EMAIL PROTECTED] wrote:
>> you can do it with redhat, it's just disabled by default for security.
>> which brings up the question...how much more secure is it? you can login as
>> <user> run "su -" and be root. sure you have to know two passwords instead
>> of
>> one, but anybody doing that is probably cracking so the second isn't that
>> much
>> harder.
> 
> 1. Two passwords > one even if the first one is easily obtained.
> 
> 2. If you have a secure logging setup you can know which user account
>    did the su.  Or you may not have su executable by users at all but
>    only sudo or another mechanism that logs more or restricts users.
>    (This is the best reason although the hardest to set up.)
> 
> 3. You may well not have su o+x but 710 or so where only admins are
>    in a wheel group allowed to su.  If those admins use good
>    passwords the root password becomes 96 bits strong instead of 48
>    as the first password is not so easily obtained.
> 
> 4. If root can login over telnet then you can run a dictionary
>    attack against root's password.  This will be slowed down
>    several orders of magnitude by any decent login program, but
>    it still leaves the opening.
> 
> 5. If root can login over telnet then root's password is going out
>    in clear text on the network, which any sensible admin would try
>    to avoid anyway, so why allow it?
> 
>    Any distro allowing direct root network logins by telnet or ftp
> out of the box should be at best relegated straight to the desktop-
> only category.
> 
> -- 
> Rich Derr, sysadmin                   Have ssh, Will Telecommute
> Web Design Group   www.webdesigngroup.com   TEL: +1 312 951 6688
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]

----------------------------------
E-Mail: [EMAIL PROTECTED]
Date: 15-Jun-99
Time: 17:52:47

This message was sent by XFMail
----------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]

Reply via email to