>Absolutely. And not to telnet into one's box b/c of how easy packet
>sniffing is. Perhaps we could explain the basics of how each packet gets
>sent to every ethernet card on the sender's side of the router/switch
>(depending on the config) and that it is trivial to read everyone's
>packets if desired. Also, not to use the same password as for mail
>(sniffing). Basically, a lot of stuff I wish I had known when I
>installed Linux.
i think a better idea might be to print out a quick basic security
howto and make sure they get a copy of it...security is really a tough
topic to cover quickly and thoroughly, esp if you have to do it multiple
times.
i have some related things to discuss about this at the meeting...i hope
everyone can come (and we will be moving mail about the installfest off
the list shortly---a new list has been set up...sorry for the spam,
everyone else)
>On a related note, how could I use pam to set up my user account so that
>I do need a password for remote logins, but not for local? (could I do
>this somehow with 2 username's w/ the same group and home directory, but
>one can only login locally?)
i have pam set up to disallow remote logins for a group, so this is
feasible.
(i also use 2 accounts with same everything except login shell, because
ssh has a hard time dealing with a login shell of
/usr/sbin/ssh-agent /usr/local/bin/screen -R, oddly enough)
so, how do i do it?
/etc/pam.d/login contains the following line first
auth required /lib/security/pam_listfile.so onerr=fail item=tty sense=allow
file=/etc/usertty apply=@new
and people in group new can't remote login.
(/etc/usertty contains only ttyX and not ttypX)
for more elucidation, i believe i read the pam howto or maybe just the docs
with the redhat pam setup
NB: i had to do the same thing for ssh which bypasses normal login(1)
unless you tell it otherwise during prebuild config. ssh1 only, and
i'm using the ssh srpm from ftp.replay.com which has integrated PAM
support.
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
