[e-smith-devinfo] root / shell access
I am running the latest version of the server (v5) but cant seem to access the shell like I could in v4 by telnet. Telnet IS enabled and I can login as admin but not root! -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] root / shell access
On Tue, Oct 09, 2001 at 07:55:41PM -0400, [EMAIL PROTECTED] wrote: > I am running the latest version of the server (v5) but cant seem to access > the shell like I could in v4 by telnet. Telnet IS enabled and I can login as > admin but not root! Because telnet is *incredibly* insecure (since it transmits passwords in the clear), we STRONGLY discourage people from using it and have been stating that for quite some time. In the User Manual, we state this underneath: http://www.e-smith.org/docs/manual/5.0/admin-remoteaccess.html#telnet We strongly encourage everyone to use ssh, as it is functionally equivalent to telnet, and is actually secure. Windows ssh clients are available: http://www.e-smith.org/docs/manual/5.0/admin-remoteaccess.html#ssh Regards, Dan -- Dan York, Director of Training, Network Server Solutions Group Mitel Networks Corporation [EMAIL PROTECTED] Ph: +1-613-751-4401 Cell: +1-613-263-4312 Fax: +1-613-564-7739 150 Metcalfe Street, Suite 1500, Ottawa,ON K2P 1P1 Canada http://www.e-smith.com/ http://www.mitel.com/sme/ -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
RE: [e-smith-devinfo] root / shell access
With respect to Mitel cautions as to insecurity of telnet, and assuming you've used the web manager to otherwise enable remote access: /sbin/e-smith/db configuration setprop telnet PermitRootLogin yes /sbin/e-smith/signal-event remoteaccess-update Scott > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, October 09, 2001 7:56 PM > To: [EMAIL PROTECTED] > Subject: [e-smith-devinfo] root / shell access > > > I am running the latest version of the server (v5) but cant > seem to access > the shell like I could in v4 by telnet. Telnet IS enabled and > I can login as > admin but not root! > > > -- > Please report bugs to [EMAIL PROTECTED] > Please mail [EMAIL PROTECTED] (only) to discuss security issues > Support for registered customers and partners to [EMAIL PROTECTED] > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archives by mail and > http://www.mail-archive.com/devinfo%40lists.e-smith.org > -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] root / shell access
Probably (make that definitely) a better approach is leave the config alone, telnet in as admin and "su -" to root. The best approach, of course, is to use SSH, not telnet. Neither of those involve major compromises to security or any change to the config. Just a suggestion. JP - Original Message - From: "Smith, Jeffery S (Scott)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, October 10, 2001 9:33 AM Subject: RE: [e-smith-devinfo] root / shell access > With respect to Mitel cautions as to insecurity of telnet, and assuming > you've used the web manager to otherwise enable remote access: > > /sbin/e-smith/db configuration setprop telnet PermitRootLogin yes > /sbin/e-smith/signal-event remoteaccess-update > > Scott > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, October 09, 2001 7:56 PM > > To: [EMAIL PROTECTED] > > Subject: [e-smith-devinfo] root / shell access > > > > > > I am running the latest version of the server (v5) but cant > > seem to access > > the shell like I could in v4 by telnet. Telnet IS enabled and > > I can login as > > admin but not root! > > > > > > -- > > Please report bugs to [EMAIL PROTECTED] > > Please mail [EMAIL PROTECTED] (only) to discuss security issues > > Support for registered customers and partners to [EMAIL PROTECTED] > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > Archives by mail and > > http://www.mail-archive.com/devinfo%40lists.e-smith.org > > > > -- > Please report bugs to [EMAIL PROTECTED] > Please mail [EMAIL PROTECTED] (only) to discuss security issues > Support for registered customers and partners to [EMAIL PROTECTED] > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org > > > -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
RE: [e-smith-devinfo] root / shell access
> -Original Message- > From: John Powell [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 10, 2001 12:34 PM > Subject: Re: [e-smith-devinfo] root / shell access > Probably (make that definitely) a better approach is leave > the config alone, The stated approach does not modify the config in any non-standard way. It simply sets a property that was removed from the web manager. From a system integrity perspective, nothing untoward is done. > telnet in as admin and "su -" to root. Have you ever telneted into the server as admin? You get the admin console, not the command line. It would be pretty tough to su to anything from there. > The best approach, of course, is to use SSH, not telnet. Reminds me of the old "GOTO is evil" argument. Pretty tough to program most popular processors without GOTO -- usually referred to as a JUMP in most assembly mnemonics :-) The GOTO in and of itself is not bad -- it is the misuse of GOTO, which is an easy thing to do, that is bad. Similarly, not all telnet access is bad. Prone to be bad, yes, but inherently and inescapably bad, no. > Neither of those involve major compromises to security or any > change to the config. Except that one won't work, and the other has issues of its own. Not the least of which is that most SSH clients are pretty lame when compared to their more mature telnet cousins. Machines don't think, people do. It should be the option and responsibility of the local admin to determine if the security risks of telnet -- or any other arguably risky service or protocol or practice -- are worth the rewards. IMHO Scott -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] root / shell access
I do not want to start a major debate on the topic. You are correct, I forgot about the admin console thing. You can enable a user as having shell access and su from there. The dangers of enabling root from telnet that I can think of are this: - easier to for someone sniffing on your network to look for root logins and capture the password. Yes, they could look for "su", but that is a little bit more obscure. This is also a reason to go for SSH. - Someone trying to guess their way in is likely to start by attempting to crack their way in by trying to telnet in as root. This is an unsophisticated attack for sure, but those are the first tried. Not allowing root to telnet in adds another obscurity layer. Before you get into the "Security by obscurity" argument. I agree this is not a good primary line of defense, but it is a decent secondary line of defense. As far as SSH clients. I use SecureCRT when coming in from a Windows box. I love it. Others have high praise for Putty, haven't used it personally though. I am not sure what super-advanced Telnet clients you are referring to, but I find it hard to grasp what they have over SecureCRT and other solid SSH clients. Basically, no matter how advanced you are as a user, opening up telnet to root is widely considered a bad idea and your skills are not going to stop anyone from exploiting your network if they get root. I don't even allow root directly in via SSH, but require su there too. Bottom line, I respectfully disagree with your premise that allowing telnet in directly as root is a good idea, particularly if it is on an external interface or if your internal network is not 100% physically secure. If you would like to continue this thread, we should probably take it off-list. I would prefer to just agree to disagree and leave it at that. JP -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] root / shell access
On Wed, Oct 10, 2001 at 11:34:08AM -0500, John Powell wrote: > Probably (make that definitely) a better approach is leave the config alone, > telnet in as admin and "su -" to root. While others have pointed out that you cannot telnet in as admin and get to a shell, he does raise another option. Telnet in as *another user* and then su to root. This gets around the issue of telnetting in directly as root, BUT, when you type in the root password (to su), you are, of course, transmitting that password in the clear. (Note that all user accounts other than admin and root cannot login to the SME Server. You need to (as root) issue the command "chsh -s /bin/bash username" to enable "username" to login to the server. Having said that, I would strongly suggest that you limit shell access to very trusted users.) > The best approach, of course, is to use SSH, not telnet. Absolutely. My favorite in the Windows world has been TTSSH. You first install TeraTermPro (which is free) and then you unzip the TTSSH distribution and drop it into the Tera Term Pro folder. Execute ttssh.exe and you are in. Works great. I have used Putty as well and it has worked fine for me as well. My 2 cents, Dan -- Dan York, Director of Training, Network Server Solutions Group Mitel Networks Corporation [EMAIL PROTECTED] Ph: +1-613-751-4401 Cell: +1-613-263-4312 Fax: +1-613-564-7739 150 Metcalfe Street, Suite 1500, Ottawa,ON K2P 1P1 Canada http://www.e-smith.com/ http://www.mitel.com/sme/ -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
RE: [e-smith-devinfo] root / shell access
> -Original Message- > From: John Powell [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 10, 2001 1:10 PM > Subject: Re: [e-smith-devinfo] root / shell access > I do not want to start a major debate on the topic. Nor do I, for there is no one correct conclusion. > Bottom line, I respectfully disagree with your premise that > allowing telnet > in directly as root is a good idea, particularly if it is on > an external > interface or if your internal network is not 100% physically secure. I did not express an opinion that root access via telnet is always a good idea. Quite to the contrary, I stated that the unqualified categorization of root telnet access as a bad thing is itself a bad thing. The position that secured access methods are generally preferable to unsecured is of course reasonable -- it is the assertion that unsecured methods are always bad that I take exception to. The determination as whether root telnet access is bad or good is situational and best left to the individual administrator. But as you say, we are best left agreeing to disagree :-) Scott -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] root / shell access
On Wed, 10 Oct 2001, Dan York wrote: > Absolutely. My favorite in the Windows world has been TTSSH. You > first install TeraTermPro (which is free) and then you unzip the > TTSSH distribution and drop it into the Tera Term Pro folder. > Execute ttssh.exe and you are in. Works great. Moreover, TeraTermPro is an "advanced telnet client". Adding the TTSSH add-on gives you all the features of that telnet client, but connecting over the secured SSH protocol. -- Charlie Brady [EMAIL PROTECTED] Lead Product Developer Network Server Solutions Grouphttp://www.e-smith.com/ Mitel Networks Corporationhttp://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] root / shell access
On Wed, Oct 10, 2001 at 01:23:27PM -0400, "Smith, Jeffery S (Scott)" <[EMAIL PROTECTED]> wrote: > [...] > I did not express an opinion that root access via telnet is always a good > idea. Quite to the contrary, I stated that the unqualified categorization of > root telnet access as a bad thing is itself a bad thing. The position that > secured access methods are generally preferable to unsecured is of course > reasonable -- it is the assertion that unsecured methods are always bad that > I take exception to. The determination as whether root telnet access is bad > or good is situational and best left to the individual administrator. > [...] FYI - We removed the "telnet as root" option from the manager so that it required an explicit action on the part of an administrator with shell access to allow this access. The previous toggle in the manager made it far too easy for people to enable a practice which is commonly accepted as "bad". Gordon -- Gordon Rowell[EMAIL PROTECTED] VP Engineering Network Server Solutions Group http://www.e-smith.com Mitel Networks Corporation http://www.mitel.com -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] root / shell access
List, On Thursday 11 October 2001 02:40, you wrote: > On Wed, 10 Oct 2001, Dan York wrote: > > Absolutely. My favorite in the Windows world has been TTSSH. You > > first install TeraTermPro (which is free) and then you unzip the > > TTSSH distribution and drop it into the Tera Term Pro folder. > > Execute ttssh.exe and you are in. Works great. > > Moreover, TeraTermPro is an "advanced telnet client". Adding the TTSSH > add-on gives you all the features of that telnet client, but connecting > over the secured SSH protocol. I have used Tera Term Pro in the past and like it. However the TTSSH extension does not support SSH protocol version 2 (refer TTSSH website at http://www.zip.com.au/~roca/ttssh.html). If support for SSH protocol version 2 is important to you, in my experience PuTTY, a Free Win32 Telnet/SSH Client is an excellent option: http://www.chiark.greenend.org.uk/~sgtatham/putty/ Regards, Steve -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] root / shell access
On Thu, 11 Oct 2001 03:09, John Powell wrote: > As far as SSH clients. I use SecureCRT when coming in from a Windows box. > I love it. Others have high praise for Putty, haven't used it personally > though. I am not sure what super-advanced Telnet clients you are referring > to, but I find it hard to grasp what they have over SecureCRT and other > solid SSH clients. Personally, I can't see much reason to go past PuTTY... it's a small, single file (unusual for a Windows program) which does a better terminal emulation job than any other SSH client that I've tried... -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] root / shell access
The only reason I use something else besides PUTTY is if I want to do tunneling. Putty is great and doesn't have all the quircks with keys not working the way they usually do. Joost Rob Hillis <[EMAIL PROTECTED]> 11-10-2001 14:18 To: <[EMAIL PROTECTED]> cc: Subject: Re: [e-smith-devinfo] root / shell access On Thu, 11 Oct 2001 03:09, John Powell wrote: Personally, I can't see much reason to go past PuTTY... it's a small, single file (unusual for a Windows program) which does a better terminal emulation job than any other SSH client that I've tried... -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] root / shell access
Hi Joost_De_Raeymaeker! On Thu, 11 Oct 2001, [EMAIL PROTECTED] wrote: PuTTY even has tunneling in the latest development snapshot > The only reason I use something else besides PUTTY is if I want to do > tunneling. Putty is great and doesn't have all the quircks with keys not > working the way they usually do. > > Joost > > > > > Rob Hillis <[EMAIL PROTECTED]> > 11-10-2001 14:18 > > > To: <[EMAIL PROTECTED]> > cc: > Subject:Re: [e-smith-devinfo] root / shell access > > > On Thu, 11 Oct 2001 03:09, John Powell wrote: > > > Personally, I can't see much reason to go past PuTTY... it's a small, > single > file (unusual for a Windows program) which does a better terminal > emulation > job than any other SSH client that I've tried... > > -- > Please report bugs to [EMAIL PROTECTED] > Please mail [EMAIL PROTECTED] (only) to discuss security issues > Support for registered customers and partners to [EMAIL PROTECTED] > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org > > > > > > -- > Please report bugs to [EMAIL PROTECTED] > Please mail [EMAIL PROTECTED] (only) to discuss security issues > Support for registered customers and partners to [EMAIL PROTECTED] > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org