OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: allow access of root user
From: James Wyatt (jwyattrwsystems.net)
Date: Tue Jul 25 2000 - 09:26:52 CDT


On Tue, 25 Jul 2000, Jean-Claude STAQUET wrote:
> How do you allow remote login on a freebsd system ?
> I'm able to login as root on the freebsd console itself but not from
> another machine.

Warning: allowing root to directly log in via telnet is very risky. It
exposes your root password to sniffing anywhere along the IP path,
provides almost no trace of *who* logged in as root, and lets casual
errors become more common. (folks get lazy about being root)

That said: Root logins for telnetd and login are controlled by /etc/ttys
(see 'man ttys') and adding 'secure' to the 'ttyp' lines (like the 'ttyv'
lines) will allow root to login directly. Please try to avoid doing that!

The traditional way to become root remotely is to log in as a 'normal'
user with that user's password (usually in the suaccess or wheel groups)
and use 'su' (see man 'su') command to become root. Only users with both
passwords are allowed to do 'powerful things'. Root password can still be
sniffed, but only if whole sessions are sniffed and recorded. Simple
password gatherers like Linsniffer won't work.

Check-out 'sudo' in the packages (or ports) tree. It is still vulnerable
to linsniffer since the same password is used, but you can limit commands
that run as root for the user to things like backups and shutdown scripts.

Best way, IMHO, is to use ssh (or better yet, OpenSSH) to provide
encrypted root logins. There is an option to allow root logins with it
directly. This requires you to install OpenSSH (see ports tree) on the
hosts you want to control and some kind of ssh client on the machine(s)
you want to log in from. (There are several for Windows and Unix. If it's
another FreeBSD machine, you can just use OpenSSH again.) If you consider
using 'ssh2', read the license carefully.

Sorry for a long reply to a short question, but you *really* need to
balance your risks of password sniffing and power of root access. If your
hosts are next to each other on isolated switches, maybe root telnets are
OK. If you are dialing-up over quite a distance and are a good target for
attacks, install OpenSSH or ssh.

Hope this helps - Jy

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message