From owner-freebsd-current@FreeBSD.ORG Thu Mar 26 00:14:41 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD9121065750 for ; Thu, 26 Mar 2009 00:14:41 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outK.internet-mail-service.net (outk.internet-mail-service.net [216.240.47.234]) by mx1.freebsd.org (Postfix) with ESMTP id 9CF568FC15 for ; Thu, 26 Mar 2009 00:14:41 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 7EDD952A63; Wed, 25 Mar 2009 17:15:41 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 5CC302D600D; Wed, 25 Mar 2009 17:14:38 -0700 (PDT) Message-ID: <49CAC8FE.5050708@elischer.org> Date: Wed, 25 Mar 2009 17:14:54 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Chuck Robey References: <995845.90009.qm@web63905.mail.re1.yahoo.com> <49CA6754.4030302@elischer.org> <49CAC20E.3020602@telenix.org> In-Reply-To: <49CAC20E.3020602@telenix.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: barney_cordoba@yahoo.com, Ruben de Groot , Ian FREISLICH , current@freebsd.org Subject: Re: Telnet root login X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Mar 2009 00:14:42 -0000 Chuck Robey wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Elischer wrote: >> Ian FREISLICH wrote: >>> Barney Cordoba wrote: >>>>> Barney, you have to make the network pseudo ttys secure, >>>>> like: >>>>> >>>>> ttyp0 none network secure >>>>> >>>>> Ruben >>>> Yes, the "its not a good idea" is dependent on whatever other >>>> security you have in place. Having to log in twice to a test >>>> machine on a secure internal network is an unnecessary annoyance. >>>> The concept that every FreeBSD box in existence is publically accessible >>>> is one of those ASSumptions that people should leave at the door. >>>> >>>> Ruben, the method you cite no longer works in -current as they've >>>> changed things once again (which happens way too often when your CEOs >>>> are a bunch of bearded academics :) >>>> >>>> I'm not sure if its the pty (the login terminal shows as pty/0 and no >>>> longer ttyp0), or if its some PAM thing. Its rather annoying. >>>> Such things as >>>> pty/0 none network secure >>>> pty0 none network secure >>>> >>>> equally don't work. And I see no mention in any document as to how it >>>> would be achieved with the current >>> Then use ssh and set "PermitRootLogin yes" in /etc/ssh/sshd_config >> this doesn't work if you are usinf a set of machines run from a central >> machine using nc (netcat) to do scripted i/o through a telnet session on >> the other machines (for example). >> >> The advantage of telnet is you can pipe nc straight into it. > > Julian, I don't know nc, but can't you stick keys in your ~/.ssh, then use ssh > the same way? Doing without passwords, but keeping your security, inside nc? I > think, at minimum, you could use ssh forwarding, but doesn't nc allow this > directly? I just hate the idea of killing all the security, and hadn't yet seen > any (even wildly unlikely) scenario that needs you to do that. > > I begin to suspect that there might be a whole lot of folks who aren't aware of > how to use ssh to eliminate passwords. Security writeups are always too > complicated, that's a truism. Oh I know about SSH and keys but teh ability to pipe data into s tcp socket and have it fed into another process is really useful in testing. and of course no encryption overhead. > >>> Ian >>> >>> -- >>> Ian Freislich >>> _______________________________________________ >>> freebsd-current@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-current >>> To unsubscribe, send any mail to >>> "freebsd-current-unsubscribe@freebsd.org" > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (FreeBSD) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAknKwg4ACgkQz62J6PPcoOnHGwCfSoXjcZutte69n/m7kVOFea2X > 6xYAn0z14igUW4pebFj8oSfsOWrW4Jbq > =NWWf > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"