From owner-freebsd-current@FreeBSD.ORG Wed Mar 25 23:51:25 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F4100106564A for ; Wed, 25 Mar 2009 23:51:24 +0000 (UTC) (envelope-from barney_cordoba@yahoo.com) Received: from web63908.mail.re1.yahoo.com (web63908.mail.re1.yahoo.com [69.147.97.123]) by mx1.freebsd.org (Postfix) with SMTP id B0E408FC16 for ; Wed, 25 Mar 2009 23:51:24 +0000 (UTC) (envelope-from barney_cordoba@yahoo.com) Received: (qmail 72344 invoked by uid 60001); 25 Mar 2009 23:51:24 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1238025084; bh=wzMkStxIxqwCqI0negekfLfbEbcgDSnli7P6tQnS9g4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=ZY0RW2f+LPBogGFGdD4mRfk6us8BpM34086EbJ0nHS5Ptn9P+rYJ/VOvEMRyPQbQs/z9Fu+nW4wiVdPHkdIovlFpNhIAE/fmEg2bjxaXcBF10+t/THkSzM50dCn1+2KZkQnAaamNWPPvJcAFQXPyUtxLWpXK7HOsNPnqv04gE6w= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=QvoIZZ8zurA8d3leFN+LuriK4jhGLTKKRKgwZAsokz2sXUG8pOHQj9VNk5yCQ5ePqy86xxmArNvsUIaI2Iu10/mkCO3GCDPdj5KpYrU0VPr287Clr/uw3d54NvxKV2hh4yNJleyCtTzDs6h7xMJ5TC6BCovWYUP0IY4fLiQdyFI=; Message-ID: <50958.12083.qm@web63908.mail.re1.yahoo.com> X-YMail-OSG: DTnAq2QVM1lUZhTzrp0ds01nOQcq7CGvF22lGlqVmQWpJ9rnkaoq6l_a4CJOmsn0A3GlUjoGMu_LfbdZoZaGAOkLv2t4W2WR7CokGY5wGZ0tj.CWleth6VW_ct4f3eEge_Egha8vSpdgGcRWiX3zl0B5Ckzlfk0lSwM3613k2H3Hby4FSLDyj_tyWI2jqtZMFpdijAQ5SMeMwR4YfwdQP3V4GnM346j0vv0n_ciABY8vsj38CvHcnvQJ9T80laecu2vTdiU- Received: from [98.242.222.229] by web63908.mail.re1.yahoo.com via HTTP; Wed, 25 Mar 2009 16:51:23 PDT X-Mailer: YahooMailWebService/0.7.289.1 Date: Wed, 25 Mar 2009 16:51:23 -0700 (PDT) From: Barney Cordoba To: Julian Elischer , Chuck Robey In-Reply-To: <49CAC20E.3020602@telenix.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Ruben de Groot , Ian FREISLICH , current@freebsd.org Subject: Re: Telnet root login X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: barney_cordoba@yahoo.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 23:51:25 -0000 --- On Wed, 3/25/09, Chuck Robey wrote: > From: Chuck Robey > Subject: Re: Telnet root login > To: "Julian Elischer" > Cc: barney_cordoba@yahoo.com, "Ruben de Groot" , "Ian FREISLICH" , current@freebsd.org > Date: Wednesday, March 25, 2009, 7:45 PM > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Elischer wrote: > > Ian FREISLICH wrote: > >> Barney Cordoba wrote: > >>>> Barney, you have to make the network > pseudo ttys secure, > >>>> like: > >>>> > >>>> ttyp0 none network secure > >>>> > >>>> Ruben > >>> Yes, the "its not a good idea" is > dependent on whatever other > >>> security you have in place. Having to log in > twice to a test > >>> machine on a secure internal network is an > unnecessary annoyance. > >>> The concept that every FreeBSD box in > existence is publically accessible > >>> is one of those ASSumptions that people should > leave at the door. > >>> > >>> Ruben, the method you cite no longer works in > -current as they've > >>> changed things once again (which happens way > too often when your CEOs > >>> are a bunch of bearded academics :) > >>> > >>> I'm not sure if its the pty (the login > terminal shows as pty/0 and no > >>> longer ttyp0), or if its some PAM thing. Its > rather annoying. > >>> Such things as > >>> pty/0 none network secure > >>> pty0 none network secure > >>> > >>> equally don't work. And I see no mention > in any document as to how it > >>> would be achieved with the current > >> > >> Then use ssh and set "PermitRootLogin > yes" in /etc/ssh/sshd_config > > > > this doesn't work if you are usinf a set of > machines run from a central > > machine using nc (netcat) to do scripted i/o through a > telnet session on > > the other machines (for example). > > > > The advantage of telnet is you can pipe nc straight > into it. > > Julian, I don't know nc, but can't you stick keys > in your ~/.ssh, then use ssh > the same way? Doing without passwords, but keeping your > security, inside nc? I > think, at minimum, you could use ssh forwarding, but > doesn't nc allow this > directly? I just hate the idea of killing all the > security, and hadn't yet seen > any (even wildly unlikely) scenario that needs you to do > that. > > I begin to suspect that there might be a whole lot of folks > who aren't aware of > how to use ssh to eliminate passwords. Security writeups > are always too > complicated, that's a truism. Another Truism: there are a whole lot of folks who are way too anally retentive for their own good. Barney