What Mr. Vetters explains on his mail is very true. You should always try to use ssh and sftp (and in general any s-flavor comm program). This comment applies if you are working on the Internet, but if you are on a private network, behind a firewall, you could use the unsecure flavors. In any case you should not enable root access to telnet or ftp. su-ing like Mr. Bart Vetters has stated is insecure if you suspect that you have someone in your network that wants your root password really bad, as it is very easy to write a sniffing or spoofing program (even though sequence cracking on Linux is more difficult than NT it is still vulnerable). Spoofing is very hard to eliminate so you should try to shut off any rpc (or alike) services. Nevertheless, as stated before if you are on your own little private network don't bother with all of this stuff, but you should be very carefull if you are exposed to the Internet or there are malintentioned users on your LAN. There is an excelent book (there are many!) on Linux Security called MAXIMUM Linux Security from SAMS - ISBN 0-672-32134-3 Everyone should have a copy. It's very easy to read and precise. A must have for exposed machines. Saludos, Alejandro Imass And no, I don't work for SAMS press ;-] Bart Vetters <[EMAIL PROTECTED]> on 12/09/2001 04:51:47 PM Please respond to Bart Vetters <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: (bcc: Alejandro Imass/MPR de Venezuela S.A.) Subject: Re: [expert] Cannot telnet or FTP in as root Hi, logging in as root over telnet or ftp is disabled by default. This is done for security reasons, as both these protocols transmit data (including passwords) in clear text over the network and it is trivial to collect passwords from a telnet or ftp stream. Please note that logging in as a user and then su'ing to root, as several people suggested, does not help in any way - you're still typing root's password over an unencrypted connection. The way root is kept from logging in via an insecure terminal (or pseudo-terminal, as in telnet or ftp) is that /bin/login checks for the presence of a file /etc/securetty that lists the terminals root is allowed to log in on. If /etc/securetty is not present, root can log in via every terminal. If it is present and empty, root can not log in anywhere except the console. If any terminals are listed in the file, root can log in via those and the console. The manpage on login has more information. So, if you want to live dangerously, remove /etc/securetty and root can log in from anywhere. In the real world, use ssh. :) CU Bart -- ---------------------------------------------- Bart Vetters | [EMAIL PROTECTED] KMI - IRM | Tel.: +32.2.373.04.77 Ringlaan 3 | Fax.: +32.2.373.06.57 1180 Brussel | Pubkey ID: C182DF19 ---------------------------------------------- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
