On Thu, Apr 15, 1999 at 03:30:02AM -0800, Rui Ribeiro put this into my mailbox: > Today, when trying to log into a machine, I mistakenly used telnet over > ssh. True, the RH 5.2 box is configured for not allowing root login. The > only problem is that is still asks for the password after learning root > is logging. It denied access only after the password was introduced. > > It should issue a error and not ask for the password, since otherwise > it's defeating the whole purpose of denying root telnet access. The > purpose, of course, it's preventing the raw transmission over the > communication media. No, the purpose is to prevent someone who has the root password but not a normal account password from logging into the machine as root directly. While it's not a great layer of security, it does mean that the cracker has to sniff/crack two passwords instead of just one to gain root access. This is the same reason that most sane '/bin/su' programs require the person doing '/bin/su -' to root to be in the 'root' or 'wheel' group. These sort of restrictions were in place long before ssh or kerberos were released. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "Command new weapons like dragons, Founder, the DALnet IRC Network griffins, and eleven [sic] archers." -MacMall WarCraft II ad e-mail: dalvenjahat_private WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:39 PDT