From owner-freebsd-security  Fri May 11  9:23:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34])
	by hub.freebsd.org (Postfix) with ESMTP id 3CD6A37B424
	for <freebsd-security@freebsd.org>; Fri, 11 May 2001 09:23:36 -0700 (PDT)
	(envelope-from ume@mahoroba.org)
Received: from localhost (IDENT:bFjGTDkSdR5SOvBgb2w9lqyxWa9xY2ZjOjPoZBO6tei/6Apea6XQyS8aHyHJIvq9@localhost [::1])
	(authenticated as ume with CRAM-MD5)
	by peace.mahoroba.org (8.11.3/8.11.3/peace) with ESMTP/inet6 id f4BGN0180211;
	Sat, 12 May 2001 01:23:00 +0900 (JST)
	(envelope-from ume@mahoroba.org)
Date: Sat, 12 May 2001 01:22:56 +0900 (JST)
Message-Id: <20010512.012256.74710954.ume@mahoroba.org>
To: mike@sentex.net
Cc: ZGabor@CoDe.hu, freebsd-security@freebsd.org
Subject: Re: preventing direct root login on telnetd
From: Hajimu UMEMOTO <ume@mahoroba.org>
In-Reply-To: <4.2.2.20010511075808.023ee200@192.168.0.12>
References: <4.2.2.20010511000303.036916f8@192.168.0.12>
	<20010511071947.C264@zg.CoDe.hu>
	<4.2.2.20010511075808.023ee200@192.168.0.12>
X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0
 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?=
X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc
X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91  05 D0 B3 EF 36 9B 6A BC
X-URL: http://www.imasy.org/~ume/
X-Operating-System: FreeBSD 5.0-CURRENT
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>>>>> On Fri, 11 May 2001 07:59:55 -0400
>>>>> Mike Tancsa <mike@sentex.net> said:

>Or maybe via the /etc/login.access file.  man login.access
>Btw.  Don't use telnet, and never login as root.  Use `su' instead.

mike> Yes, I dont ever use it but customers do to this particular machine.  I 
mike> will take a look at login.access.  Do you know if it works, or if telnetd 
mike> now ignores that as well ?

It's working for me.  My login.access has following entry:

    -:root:ALL EXCEPT console ttyv0 ttyv1 ttyv2 ttyv3 ttyv4 ttyv5 ttyv6 ttyv7

Or, you can disable SRA authentication by adding `-X sra' option to
telnetd in /etc/inet.conf

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message