Telnet root login

Chuck Robey chuckr at telenix.org
Wed Mar 25 16:45:19 PDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julian Elischer wrote:
> Ian FREISLICH wrote:
>> Barney Cordoba wrote:
>>>> Barney, you have to make the network pseudo ttys secure,
>>>> like:
>>>>
>>>> ttyp0   none    network    secure
>>>>
>>>> Ruben
>>> Yes, the "its not a good idea" is dependent on whatever other
>>> security you have in place. Having to log in twice to a test
>>> machine on a secure internal network is an unnecessary annoyance.
>>> The concept that every FreeBSD box in existence is publically accessible
>>> is one of those ASSumptions that people should leave at the door.
>>>
>>> Ruben, the method you cite no longer works in -current as they've
>>> changed things once again (which happens way too often when your CEOs
>>> are a bunch of bearded academics :)
>>>
>>> I'm not sure if its the pty (the login terminal shows as pty/0 and no
>>> longer ttyp0), or if its some PAM thing. Its rather annoying.
>>> Such things as
>>> pty/0 none network secure
>>> pty0 none network secure
>>>
>>> equally don't work. And I see no mention in any document as to how it
>>> would be achieved with the current
>>
>> Then use ssh and set "PermitRootLogin yes" in /etc/ssh/sshd_config
> 
> this doesn't work if you are usinf a set of machines run from a central
> machine using nc (netcat) to do scripted i/o through a telnet session on
> the other machines (for example).
> 
> The advantage of telnet is you can pipe nc straight into it.

Julian, I don't know nc, but can't you stick keys in your ~/.ssh, then use ssh
the same way?  Doing without passwords, but keeping your security, inside nc?  I
think, at minimum, you could use ssh forwarding, but doesn't nc allow this
directly?  I just hate the idea of killing all the security, and hadn't yet seen
any (even wildly unlikely) scenario that needs you to do that.

I begin to suspect that there might be a whole lot of folks who aren't aware of
how to use ssh to eliminate passwords.  Security writeups are always too
complicated, that's a truism.

> 
>>
>> Ian
>>
>> -- 
>> Ian Freislich
>> _______________________________________________
>> freebsd-current at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-current
>> To unsubscribe, send any mail to
>> "freebsd-current-unsubscribe at freebsd.org"
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknKwg4ACgkQz62J6PPcoOnHGwCfSoXjcZutte69n/m7kVOFea2X
6xYAn0z14igUW4pebFj8oSfsOWrW4Jbq
=NWWf
-----END PGP SIGNATURE-----

More information about the freebsd-current mailing list