On Thu, Apr 15, 1999 at 03:30:02AM -0800, Rui Ribeiro put this into my mailbox:
> Today, when trying to log into a machine, I mistakenly used telnet over
> ssh. True, the RH 5.2 box is configured for not allowing root login. The
> only problem is that is still asks for the password after learning root
> is logging. It denied access only after the password was introduced.
>
> It should issue a error and not ask for the password, since otherwise
> it's defeating the whole purpose of denying root telnet access. The
> purpose, of course, it's preventing the raw transmission over the
> communication media.
No, the purpose is to prevent someone who has the root password but not
a normal account password from logging into the machine as root directly.
While it's not a great layer of security, it does mean that the cracker
has to sniff/crack two passwords instead of just one to gain root access.
This is the same reason that most sane '/bin/su' programs require the
person doing '/bin/su -' to root to be in the 'root' or 'wheel' group.
These sort of restrictions were in place long before ssh or kerberos were
released.
-dalvenjah
--
Dalvenjah FoxFire (aka Sven Nielsen) "Command new weapons like dragons,
Founder, the DALnet IRC Network griffins, and eleven [sic] archers."
-MacMall WarCraft II ad
e-mail: dalvenjahat_private WWW: http://www.dal.net/~dalvenjah/
whois: SN90 Try DALnet! http://www.dal.net/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:39 PDT