From owner-freebsd-current@FreeBSD.ORG Wed Mar 25 23:45:19 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 354401065675 for ; Wed, 25 Mar 2009 23:45:19 +0000 (UTC) (envelope-from chuckr@telenix.org) Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net [69.17.117.10]) by mx1.freebsd.org (Postfix) with ESMTP id 0F9558FC26 for ; Wed, 25 Mar 2009 23:45:18 +0000 (UTC) (envelope-from chuckr@telenix.org) Received: (qmail 12390 invoked from network); 25 Mar 2009 23:45:18 -0000 Received: from april.chuckr.org (HELO april.telenix.org) (chuckr@[66.92.151.30]) (envelope-sender ) by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 25 Mar 2009 23:45:18 -0000 Message-ID: <49CAC20E.3020602@telenix.org> Date: Wed, 25 Mar 2009 19:45:18 -0400 From: Chuck Robey User-Agent: Thunderbird 2.0.0.19 (X11/20090121) MIME-Version: 1.0 To: Julian Elischer References: <995845.90009.qm@web63905.mail.re1.yahoo.com> <49CA6754.4030302@elischer.org> In-Reply-To: <49CA6754.4030302@elischer.org> X-Enigmail-Version: 0.95.5 OpenPGP: id=F3DCA0E9; url=http://pgp.mit.edu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: barney_cordoba@yahoo.com, Ruben de Groot , Ian FREISLICH , current@freebsd.org Subject: Re: Telnet root login X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 23:45:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Elischer wrote: > Ian FREISLICH wrote: >> Barney Cordoba wrote: >>>> Barney, you have to make the network pseudo ttys secure, >>>> like: >>>> >>>> ttyp0 none network secure >>>> >>>> Ruben >>> Yes, the "its not a good idea" is dependent on whatever other >>> security you have in place. Having to log in twice to a test >>> machine on a secure internal network is an unnecessary annoyance. >>> The concept that every FreeBSD box in existence is publically accessible >>> is one of those ASSumptions that people should leave at the door. >>> >>> Ruben, the method you cite no longer works in -current as they've >>> changed things once again (which happens way too often when your CEOs >>> are a bunch of bearded academics :) >>> >>> I'm not sure if its the pty (the login terminal shows as pty/0 and no >>> longer ttyp0), or if its some PAM thing. Its rather annoying. >>> Such things as >>> pty/0 none network secure >>> pty0 none network secure >>> >>> equally don't work. And I see no mention in any document as to how it >>> would be achieved with the current >> >> Then use ssh and set "PermitRootLogin yes" in /etc/ssh/sshd_config > > this doesn't work if you are usinf a set of machines run from a central > machine using nc (netcat) to do scripted i/o through a telnet session on > the other machines (for example). > > The advantage of telnet is you can pipe nc straight into it. Julian, I don't know nc, but can't you stick keys in your ~/.ssh, then use ssh the same way? Doing without passwords, but keeping your security, inside nc? I think, at minimum, you could use ssh forwarding, but doesn't nc allow this directly? I just hate the idea of killing all the security, and hadn't yet seen any (even wildly unlikely) scenario that needs you to do that. I begin to suspect that there might be a whole lot of folks who aren't aware of how to use ssh to eliminate passwords. Security writeups are always too complicated, that's a truism. > >> >> Ian >> >> -- >> Ian Freislich >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to >> "freebsd-current-unsubscribe@freebsd.org" > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknKwg4ACgkQz62J6PPcoOnHGwCfSoXjcZutte69n/m7kVOFea2X 6xYAn0z14igUW4pebFj8oSfsOWrW4Jbq =NWWf -----END PGP SIGNATURE-----