From owner-freebsd-security  Fri May 11  9:27:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id 4161437B43C
	for <freebsd-security@freebsd.org>; Fri, 11 May 2001 09:27:19 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 45398 invoked by uid 1000); 11 May 2001 16:26:41 -0000
Date: Fri, 11 May 2001 19:26:41 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: mike@sentex.net
Cc: Hajimu UMEMOTO <ume@mahoroba.org>, ZGabor@CoDe.hu,
	freebsd-security@freebsd.org
Subject: Re: preventing direct root login on telnetd
Message-ID: <20010511192641.E24224@ringworld.oblivion.bg>
Mail-Followup-To: mike@sentex.net, Hajimu UMEMOTO <ume@mahoroba.org>,
	ZGabor@CoDe.hu, freebsd-security@freebsd.org
References: <4.2.2.20010511000303.036916f8@192.168.0.12> <20010511071947.C264@zg.CoDe.hu> <4.2.2.20010511075808.023ee200@192.168.0.12> <20010512.012256.74710954.ume@mahoroba.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010512.012256.74710954.ume@mahoroba.org>; from ume@mahoroba.org on Sat, May 12, 2001 at 01:22:56AM +0900
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, May 12, 2001 at 01:22:56AM +0900, Hajimu UMEMOTO wrote:
> >>>>> On Fri, 11 May 2001 07:59:55 -0400
> >>>>> Mike Tancsa <mike@sentex.net> said:
> 
> >Or maybe via the /etc/login.access file.  man login.access
> >Btw.  Don't use telnet, and never login as root.  Use `su' instead.
> 
> mike> Yes, I dont ever use it but customers do to this particular machine.  I 
> mike> will take a look at login.access.  Do you know if it works, or if telnetd 
> mike> now ignores that as well ?
> 
> It's working for me.  My login.access has following entry:
> 
>     -:root:ALL EXCEPT console ttyv0 ttyv1 ttyv2 ttyv3 ttyv4 ttyv5 ttyv6 ttyv7
> 
> Or, you can disable SRA authentication by adding `-X sra' option to
> telnetd in /etc/inet.conf

login.conf should work - telnetd invokes login(1).

G'luck,
Peter

-- 
What would this sentence be like if it weren't self-referential?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message