From owner-freebsd-questions Sat Jun 29 19:01:10 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA01879 for questions-outgoing; Sat, 29 Jun 1996 19:01:10 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA01865 for ; Sat, 29 Jun 1996 19:01:08 -0700 (PDT) Received: from relay-2.mail.demon.net (disperse.demon.co.uk [158.152.1.77]) by who.cdrom.com (8.6.12/8.6.11) with SMTP id RAA20271 for ; Sat, 29 Jun 1996 17:05:26 -0700 Received: from post.demon.co.uk ([158.152.1.72]) by relay-2.mail.demon.net id aa21753; 30 Jun 96 1:03 +0100 Received: from jraynard.demon.co.uk ([158.152.42.77]) by relay-3.mail.demon.net id aa26711; 30 Jun 96 0:50 +0100 Received: (from fqueries@localhost) by jraynard.demon.co.uk (8.6.12/8.6.12) id VAA05507; Sat, 29 Jun 1996 21:23:21 GMT Date: Sat, 29 Jun 1996 21:23:21 GMT Message-Id: <199606292123.VAA05507@jraynard.demon.co.uk> From: James Raynard To: mc7953@mclink.it CC: questions@FreeBSD.ORG, mc7953@mclink.it In-reply-to: <31D53AD3.41C67EA6@mclink.it> (message from Marco Masotti on Sat, 29 Jun 1996 16:16:51 +0200) Subject: Re: rlogin as root refused Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I'm getting problems doing rlogin as root, always when towards FreeBSD > machines. > > I can do rsh generic commands and rcp, but not rlogin. > > I set a "+" in the ~root/.rhosts file, but this doesn't suffice. This is extremely dangerous. Don't do it! > Also, my /etc/login.access file has only one line: > > +:ALL:ALL Likewise. > Nevertheless, when doing rsh|rlogin , I get: > > # rsh > Password: > root login refused on this terminal. > login: This is because you get a pseudo terminal which is not marked as "secure" in /etc/ttys:- $ telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. FreeBSD (jraynard.demon.co.uk) (ttyp5) login: root Password: root login refused on this terminal. $ grep ttyp5 /etc/ttys ttyp5 none network > I can succesfully do the same operation on behalf of generic users, > other than root, yet through the same rhosts authorization mechanism. > Sure, I can then switch root, but I wish to do it straight also. This is not recommended, for the same reason that you shouldn't log in as root. Always log in as a normal user, whether at a terminal over a network, and use the 'su' command to become root if you need to. > Is this behaviour normal due to security issues? Yes. If this was not the case, your .rhosts and login.access settings would allow anyone to rlogin to your machine as root, which means they could do whatever they liked with it. > In such case it would not seem to bi documented anywhere. It's in ttys(5):- As flag values, the strings ``on'' and ``off'' specify that init should (should not) execute the command given in the second field, while ``se- cure'' (if ``on'' is also specified) allows users with a uid of 0 to lo- gin on this line. These flag fields should not be quoted. > PS: the login.access file seems to function properly when accessing > through a physical tty line, ie. through modems. In this case, you get a serial terminal, which is marked as "secure" in the default /etc/ttys. -- James Raynard, Edinburgh, Scotland james@jraynard.demon.co.uk http://www.freebsd.org/~jraynard/