At 03:30 AM 4/15/99 -0800, Rui Ribeiro wrote: >Today, when trying to log into a machine, I mistakenly used telnet over ssh. >True, the RH 5.2 box is configured for not allowing root login. The only >problem is that is still asks for the password after learning root is >logging. It denied access only after the password was introduced. > >It should issue a error and not ask for the password, since otherwise it's >defeating the whole purpose of denying root telnet access. The purpose, of >course, it's preventing the raw transmission over the communication media. Sniffing the wire is only part of the reason for disallowing root login. Other good reasons to make a user authenticate as a non privileged user first: - Prevent remote brute force attacks on the root password - Provide more of an audit trail to attempted root logins - Require two password compromises instead of one. I agree, though, that not asking for the password would be better. I don't know of a telnet daemon that does this, however. -j
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:39 PDT