From owner-freebsd-security Tue Jul 25 7:27:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id BEEA237B6E8 for ; Tue, 25 Jul 2000 07:27:53 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2719 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 25 Jul 2000 09:26:52 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 25 Jul 2000 09:26:52 -0500 (CDT) From: James Wyatt To: Jean-Claude STAQUET Cc: freebsd-security@FreeBSD.ORG Subject: Re: allow access of root user In-Reply-To: <3.0.6.32.20000725103811.008e8e90@polyflow.be> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Jean-Claude STAQUET wrote: > How do you allow remote login on a freebsd system ? > I'm able to login as root on the freebsd console itself but not from > another machine. Warning: allowing root to directly log in via telnet is very risky. It exposes your root password to sniffing anywhere along the IP path, provides almost no trace of *who* logged in as root, and lets casual errors become more common. (folks get lazy about being root) That said: Root logins for telnetd and login are controlled by /etc/ttys (see 'man ttys') and adding 'secure' to the 'ttyp' lines (like the 'ttyv' lines) will allow root to login directly. Please try to avoid doing that! The traditional way to become root remotely is to log in as a 'normal' user with that user's password (usually in the suaccess or wheel groups) and use 'su' (see man 'su') command to become root. Only users with both passwords are allowed to do 'powerful things'. Root password can still be sniffed, but only if whole sessions are sniffed and recorded. Simple password gatherers like Linsniffer won't work. Check-out 'sudo' in the packages (or ports) tree. It is still vulnerable to linsniffer since the same password is used, but you can limit commands that run as root for the user to things like backups and shutdown scripts. Best way, IMHO, is to use ssh (or better yet, OpenSSH) to provide encrypted root logins. There is an option to allow root logins with it directly. This requires you to install OpenSSH (see ports tree) on the hosts you want to control and some kind of ssh client on the machine(s) you want to log in from. (There are several for Windows and Unix. If it's another FreeBSD machine, you can just use OpenSSH again.) If you consider using 'ssh2', read the license carefully. Sorry for a long reply to a short question, but you *really* need to balance your risks of password sniffing and power of root access. If your hosts are next to each other on isolated switches, maybe root telnets are OK. If you are dialing-up over quite a distance and are a good target for attacks, install OpenSSH or ssh. Hope this helps - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message