Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 31 Aug 2001 13:37:49 +0200
From:      Joerg Wunsch <j@ida.interface-business.de>
To:        Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc:        audit@FreeBSD.ORG, security@FreeBSD.ORG
Subject:   Re: why does telnetd run as root?
Message-ID:  <20010831133749.H76749@ida.interface-business.de>
In-Reply-To: <200108301817.f7UIHNa66577@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, Aug 30, 2001 at 02:17:23PM -0400
References:  <20010830201102.O69247@ida.interface-business.de> <200108301817.f7UIHNa66577@khavrinen.lcs.mit.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
As Garrett Wollman wrote:

> <<On Thu, 30 Aug 2001 20:11:02 +0200, Joerg Wunsch <j@ida.interface-business.de> said:
> 
> > But then, it's IMHO much safer to run telnetd as user
> > `daemon', and have login(1) allow user daemon to pass -h.
> 
> Only works for cleartext password authentication.

Not really, but you're right, it doesn't work for SRA telnet.  It
works for anything that can be handled by /usr/bin/login, i just
tried OPIE which does well.

Still, allowing this as an option seems useful to me.  (If i want
encryption, i'll use ssh anyway.  Telnet is only a fallback if no
encryption is available for whatever reason.  It is very unlikely i'll
find a client that could do SRA telnet but could not do ssh.)

-- 
J"org Wunsch					       Unix support engineer
joerg_wunsch@interface-systems.de        http://www.interface-systems.de/~j/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010831133749.H76749>