On Sat, 23 Jun 2001 at 10:24, Leo Martinez wrote:
> I am using RH6.2. I want to allow the root to login remotely to the
> linux server using telnet. According to redhat.com I have to modify
> /etc/securetty and add this: pts/0, pts/1 and pts/2. I did already,
> but it didn't work. Is there another way allow the root to telnet the
> linux box?
A lot of people have given their share and I just thought I'd give mine
(while waiting for Debian to finish downloading the packages for gcc 3.0
from the unstable tree).
Like so many others I do not recommend allowing root to connect remotely
(via telnet and/or ssh). I would even recommend you to disable and remove
telnet altogether. Let's explain this one by one dealing with the latter
one first.
Why remove telnet altogether? Because if you just disable it, it will use
space on your hard drive is one. Why disable it, then? Because it is
unencrypted and it is so easy (and common) for people to sniff around,
waiting for precious information to come by them (ie: your password or
some other [l]user's).
Why should root not allowed to connect remotely? Because root is an
obviously unlimited resource to tap (it can do anything to your system as
that's what it's designed to do). With remote root login enabled, it's
like having a door with direct access to your entire system. Sure, it may
be protected by your password, but that can still be brute forced!
What do I recommend then? I recommend you only enable remote shell login
via SSH, and I recommend you limit the users with shell access to your
system via SSH. You may even want to add a layer of protection by doing
host-based restriction which AFAIK can be done using SSH2 and/or OpenSSH.
What do you use when you need root access, then? I recommend you use sudo.
With sudo you can allow a user to do a limited (or unlimited if you wish)
set of tasks as root. This allows you to selectively (or completely)
delegate root tasks to particular drones (hehehe, I couldn't resist that).
When first run, sudo will ask the "drone" for his/her password, not root's
password. This is for protection considering the possibility of shell
terminals open sitting ildly for the world to use. There is then a time
delay set between invocations of sudo where again the password is
requested. This way, you don't need to broadcast root's password. sudo
also logs activity to syslog, and if access to the shell programs (bash,
sh, and whatever else you have installed) is prohibited, you can know by
inspection who did what was root using sudo. I prefer this to the 'su'
approach (which in turn asks you for root's password).
Good luck, and remember, "security begins at home". Hahaha. Again, I
couldn't resist. Our village's security group has that posted near the
entrance to the village and it's been there since I can first remember
seeing this village (even before we moved in). :)
--> Jijo
--
Linux, MS-DOS, and Windows NT ...
... also known as the Good, the Bad, and the Ugly
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
