Date: Thu, 10 May 2001 20:47:25 -0400 From: Daniel Hauer <dh@enter.net> To: freebsd-security@freebsd.org Subject: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? Message-ID: <3AFB369D.5574182A@enter.net>
next in thread | raw e-mail | index | archive | help
Hello all, After installing 4.3 release on one machine and upgrading 2 other machines to -STABLE, I noticed there is a new mechanism used in telnetd, namely this "SRA" authentication mechanism. While convienient, (you don't have to type your username) I found something VERY disturbing: If you are at a root prompt on any other BSD based machine, you can just telnet to the 4.3 machines, and login right in with the root username and password! This only apparently occurs from a BSD based machine, as Myself and a co-worker tried it from 2 different distribution Linux boxes, and we could not login as root. None of the switches for telnetd in the inetd.conf worked to our satisfaction, and after reading the sources, we recompiled telnetd with AUTHENTICATION=NO to disable this behavior. What is this "SRA authentication" ? And why is telnetd's default behavior to allow root logins at all? I realize that any self respecting sysadmin will either use ipfirewall, ipfilter, or good old inetd's hosts.allow file to limit telnet logins anyway, but the question still remains.... Why? Wouldn't this SRA with a "no root" login be a better idea? -- Regards, Daniel Hauer Network Administration http://www.enter.net "The Road To The Internet Starts There!" *************************************************************************** Windoze is for GAMES, UNIX is for the rest of us. UNIX is like the sights on a loaded gun. If you aim the gun at your foot and pull the trigger, it is the basic function of UNIX to accurately deliver the bullet from the gun to the target. In this case, it's your foot. *************************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AFB369D.5574182A>