Date: Fri, 5 Dec 1997 21:21:03 -0500 (EST) From: "David E. Cross" <dec@phoenix.its.rpi.edu> To: Alex <garbanzo@hooked.net> Cc: John-Mark Gurney <gurney_j@resnet.uoregon.edu>, Jaye Mathisen <mrcpu@cdsnet.net>, Jim Bryant <jbryant@unix.tfs.net>, ircadmin@shellnet.co.uk, freebsd-hackers@FreeBSD.ORG Subject: Re: Telnet Root access Message-ID: <Pine.BSF.3.96.971205211836.7036A-100000@phoenix.its.rpi.edu> In-Reply-To: <Pine.BSF.3.96.971205172907.765A-100000@zippy.dyn.ml.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Fri, 5 Dec 1997, John-Mark Gurney wrote: > > > Jaye Mathisen scribbled this message on Dec 5: > > > > > > > > > > man su > > > > > > > > > > I'm not sure how I see su helping. If he has to telnet in as a normal > > > user, then su to root, he still has to send the root password in the > > > clear. > > > > what it prevents is brute force password attempts to directly break > > root's acount... > > Actually it doesn't really even prevent that. Su just adds more detailed > logging of the attempts, which are more likely (IMO) to draw attention. many people will just capture the fist 100 or so characters sent to a session... logging everything you enter on a connection is a waste of space, and they need to dig through tht later. IMO: sending the root password plaintext over the network at any time is a *NO*. I *only* use ssh to connect as root (even when su-ing), and only from a host I trust, and a binary I trust. I have learned the hard way not to compromise on neteork/system security. -- David Cross ACS Consultant
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971205211836.7036A-100000>