On Thu, 17 Jan 2002, Buchan Milne wrote:

> I don't know how many of you guys on this list answer questions on
> MandrakeExpert, but I do on occasion. Sometimes I get questions that I
> don't feel comfortable answering correctly.
>
> For example, I answered someone who wanted to enable the telnet server
> with a standard "Use ssh" reply (AFAIK there is no reason one would need
> a telnet server, telnet client I can understand: some network devices
> need configuration via telnet). The user figured telnet out himself
> (after I explained the basics of getting ssh running, and pointing him
> to some docs on ssh with keys).

Think of a home network, without any wireless devices. Physical security
is generally assumed (If someone can break into your hous to install
tapping, he might just as well install a camera to record your keyboard
typing).

Furthermore, Every windows machine comes with a telnet client. Not every
such machine comes with an ssh client.

And ssh is a protocol that is a bit more complex than telnet, and consumes
more CPU.

>
> He then asked how to make it possible for root to log in directly
> without needing to log in as a user first.

It is a simpler procedure. You want to make it more difficult: choose a
complicated root password. If you mostly need to work on the machine as
root (I'm not sure if such a situation exists) then there is no point in a
more complecated procedure.

>
> So this time, I answered that if he really wanted an insecure box, he
> should install redhat 6.2 or so, which would set up all that for him by
> default, rather than wasting all the work of packagers and developers
> trying to improve security.

You think of a normal usage scenario. Sure, Mandrake is configured better
now by default than it was a year ago, but my system is mine to modify to
fit my needs.

Sure I don't allow root logins through ssh. Sure, I don't keep telnet
working in my home computer. But on my local server I have enabled finger
even if it is not on by default. In some cases I am more strict (I disable
SUID bit of ssh, for instance). Linux is free software.

If someone asks you how to shoot himself in the leg, you should warn him
that it will hurt, but you can't hide the gun, because it's his gun, and
he has every right to pull the trigger.

(For those who don't know this: public.logica.com/~stepneys/joke/foot.htm )

-- 
Tzafrir Cohen                        /"\
mailto:tzafrirtechnion.ac.il        \ /  ASCII Ribbon Campaign
Taub 229, 972-4-829-3942,             X   Against  HTML  Mail
http://www.technion.ac.il/~tzafrir   / \
For help, email discuss-helpmandrakesecure.net; to unsubscribe send a
message to discuss-unsubscribemandrakesecure.net.  To visit MandrakeSecure,
go to http://www.mandrakesecure.net/.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]