Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 29 Nov 1995 09:56:41 +0000 (GMT)
From:      Paul Richards <p.richards@elsevier.co.uk>
To:        terry@lambert.org (Terry Lambert)
Cc:        jkh@time.cdrom.com, terry@lambert.org, joerg_wunsch@uriah.heep.sax.de, freebsd-current@FreeBSD.org
Subject:   Re: schg flag on make world in -CURRENT
Message-ID:  <199511290956.JAA13824@isis>
In-Reply-To: <199511290220.TAA26615@phaeton.artisoft.com> from "Terry Lambert" at Nov 28, 95 07:20:50 pm

next in thread | previous in thread | raw e-mail | index | archive | help
In reply to Terry Lambert who said
> 
> > Yeah, and you don't need a note from your mother either.  I would
> > therefore like to join Terry in demanding that su be disabled until
> > the requisite scanner support (with authentication) be added directly
> > into the kernel.
> 
> Now you are being silly.
> 
> The reason that the lines aren't secure by default is that you don't
> want to have the root password working while a line snooper is catching
> the packets with it in it.
> 

I'm not sure that was ever the reason for secure pty's. I think the 
intention was to prevent brute force attacks on root, which is a known
account. A packet sniffer can just as easily pick up non-root accounts
and then have a much better foot in the door for cracking root once on
the machine.

> 
> If the only protection is against brute-forcing root over the net, then
> it's no protection at all.  This attack is already guarded against by
> the login attempt timer, attempt count disconnect, and probability
> function based on the password domain.
> 

I see some merit though in preventing root access period from insecure
pty's. If it was an added security level I'd be in favour of it. There
are machines where I'd like to disable remote root access completely.

-- 
  Paul Richards. Originative Solutions Ltd.
  Internet: paul@netcraft.co.uk, http://www.netcraft.co.uk
  Phone: 0370 462071 (Mobile), +44 1225 447500 (work)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511290956.JAA13824>