I do not want to start a major debate on the topic. You are correct, I forgot about the admin console thing. You can enable a user as having shell access and su from there.
The dangers of enabling root from telnet that I can think of are this: - easier to for someone sniffing on your network to look for root logins and capture the password. Yes, they could look for "su", but that is a little bit more obscure. This is also a reason to go for SSH. - Someone trying to guess their way in is likely to start by attempting to crack their way in by trying to telnet in as root. This is an unsophisticated attack for sure, but those are the first tried. Not allowing root to telnet in adds another obscurity layer. Before you get into the "Security by obscurity" argument. I agree this is not a good primary line of defense, but it is a decent secondary line of defense. As far as SSH clients. I use SecureCRT when coming in from a Windows box. I love it. Others have high praise for Putty, haven't used it personally though. I am not sure what super-advanced Telnet clients you are referring to, but I find it hard to grasp what they have over SecureCRT and other solid SSH clients. Basically, no matter how advanced you are as a user, opening up telnet to root is widely considered a bad idea and your skills are not going to stop anyone from exploiting your network if they get root. I don't even allow root directly in via SSH, but require su there too. Bottom line, I respectfully disagree with your premise that allowing telnet in directly as root is a good idea, particularly if it is on an external interface or if your internal network is not 100% physically secure. If you would like to continue this thread, we should probably take it off-list. I would prefer to just agree to disagree and leave it at that. JP -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
