Date: Sat, 29 Jun 1996 21:23:21 GMT From: James Raynard <fqueries@jraynard.demon.co.uk> To: mc7953@mclink.it Cc: questions@FreeBSD.ORG, mc7953@mclink.it Subject: Re: rlogin as root refused Message-ID: <199606292123.VAA05507@jraynard.demon.co.uk> In-Reply-To: <31D53AD3.41C67EA6@mclink.it> (message from Marco Masotti on Sat, 29 Jun 1996 16:16:51 %2B0200)
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm getting problems doing rlogin as root, always when towards FreeBSD
> machines.
>
> I can do rsh generic commands and rcp, but not rlogin.
>
> I set a "+" in the ~root/.rhosts file, but this doesn't suffice.
This is extremely dangerous. Don't do it!
> Also, my /etc/login.access file has only one line:
>
> +:ALL:ALL
Likewise.
> Nevertheless, when doing rsh|rlogin <FreeBSD host>, I get:
>
> # rsh <FreeBSD host>
> Password:
> root login refused on this terminal.
> login:
This is because you get a pseudo terminal which is not marked as
"secure" in /etc/ttys:-
$ telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
FreeBSD (jraynard.demon.co.uk) (ttyp5)
login: root
Password:
root login refused on this terminal.
$ grep ttyp5 /etc/ttys
ttyp5 none network
> I can succesfully do the same operation on behalf of generic users,
> other than root, yet through the same rhosts authorization mechanism.
> Sure, I can then switch root, but I wish to do it straight also.
This is not recommended, for the same reason that you shouldn't log in
as root. Always log in as a normal user, whether at a terminal over a
network, and use the 'su' command to become root if you need to.
> Is this behaviour normal due to security issues?
Yes. If this was not the case, your .rhosts and login.access settings
would allow anyone to rlogin to your machine as root, which means they
could do whatever they liked with it.
> In such case it would not seem to bi documented anywhere.
It's in ttys(5):-
As flag values, the strings ``on'' and ``off'' specify that init should
(should not) execute the command given in the second field, while ``se-
cure'' (if ``on'' is also specified) allows users with a uid of 0 to lo-
gin on this line. These flag fields should not be quoted.
> PS: the login.access file seems to function properly when accessing
> through a physical tty line, ie. through modems.
In this case, you get a serial terminal, which is marked as "secure"
in the default /etc/ttys.
--
James Raynard, Edinburgh, Scotland
james@jraynard.demon.co.uk
http://www.freebsd.org/~jraynard/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606292123.VAA05507>