Date: Tue, 28 Nov 1995 22:17:45 -0700 From: Nate Williams <nate@rocky.sri.MT.net> To: Terry Lambert <terry@lambert.org> Cc: nate@rocky.sri.MT.net (Nate Williams), freebsd-current@FreeBSD.org Subject: Re: schg flag on make world in -CURRENT Message-ID: <199511290517.WAA19065@rocky.sri.MT.net> In-Reply-To: <199511290210.TAA26584@phaeton.artisoft.com> References: <199511282344.QAA18335@rocky.sri.MT.net> <199511290210.TAA26584@phaeton.artisoft.com>
index | next in thread | previous in thread | raw e-mail
Terry Lambert writes: > > WHAT?!? Terry, you're losing it. > > > > Do you understand what the 'secure' flag means? It means that root is > > allowed to directly login via that tty/pty. So, if you have folks who > > need to come in remotely in your scheme, you need to make *ALL* of your > > connections secure, which opens up a huge can of worms. > > Only if they need to su to root after they come in. What normal user > comes in from outside the firewall and su's anyway? All of the folks who do root work on freefall, and David's work on wcarchive. > It's silly to type a root password over an insecure line. That's the > point of not allowing it. Even if the potential cracker types it > right, he types it wrong. 1) If you are that worried about breakin's, use secure telnet or something like that. > > The current behavior is a mix of usefulness plus security. The cracker > > needs to break into an account which is in the 'wheel' group, and then > > they need to crack the root passwd w/out raising suspicions in the > > logfiles while every failed attempt to 'su' to root is logged to the > > screen, the logfile, and any user already su'd to root on the box. > > Logfiles go away after your cracker in, as do the console contents. And > since you can tell other users su'ed onto the machine (as well as anyone > else syslog feels free to bitch at) without arousing suspicions. We might as well give up then, huh? > All your cracker has to do is watch the wire traffic to get your root > password, and use it, if you allow it to be used over the wire in the > first place. If you've got a snooper on the wire, you've got big problems, the least of which is him getting root access. If that is your concern, use a more secure method of communication to the remote system (ssh, etc..) > Setting pty's secure is a silly thing to do in any situation unless, as > is allowing user's to su from unsecure lines. You can 'su' on insecure lines. You can't directly login as root on insecure lines. Natehome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511290517.WAA19065>