root login with telnetd

Mon Mar 12 17:14:00 UTC 2007

On Sat, 2007-03-10 at 22:52 +0100, Wojciech Puchar wrote:
> can it be set to make possible to login root to machine through telnet and 
> without telneting to some user and then su -
> ?
> 
> with sshd and rshd it can be set, with telnetd - no success.
> 

My reasons for this being a bad idea isn't so much from concerns about
attack from outside, but it's more an issue of accountability.

When I ran a computing facility at a University we had some paid student
assistance, as well as faculty, that were reasonably entitled to have
the root password on various machines. Inevitably, the root password
would find it's way to some other student or some faculty member's
assistant and they'd get on the machine and do something as root. In all
cases they were trying to help, but in getting the features they were
interested in getting to work, they unknowingly mucked something else
up.

We did not allow any "frontline" root logins so they had to sign in on
one of the user's accounts and then su to root. Of course su logs this
in the log files. So, we would take a look at the log files to see which
users had su'd about the time the problem started occurring to ask them
what they had done, or were trying to do. A couple of times that
particular user was out of town and these machines weren't on the
internet nor did they have a modem, so it was clear that user had given
his account and root passwords to another person to work on their
project when they were gone. By the way, faculty were the worst
offenders at this. Some of them consider SysAdmin below them and would
hand those tasks off to some student, but that's a whole different
discussion.

Anyway, there was never anything nefarious going on, but having root
accesses logged in the log files was very helpful in allowing us to
build a history of what might have been done on the machine, and who did
it, to cause the failure. If you allow "front line" logins via telnet
and friends you won't have that accountability, because you'll have no
idea who it may have been that logged in so you can't ask them what they
might have been up to. By the way once everyone involved realized that
we weren't going to take them out back and have some thugs beat them up
for giving out the root passwords everyone was very helpful and we got
things fixed much faster then we would have if we had tried to blindly
figure things out on our own.

By the way, restricting su to wheel group is something I've always liked
about the BSD's. Again, it helps with the accountability factor on a
machine. I was flabbergasted when I first logged into a Linux box and
created a user and then su'ed to root from that user without ever adding
him to a "wheel" type group, I think Linux has a "root" group. This
doesn't really apply to this topic that much, but it irks me so much,
that Linux allows just any old user to su, I just wanted to vent a
little bit about it. Maybe they do it in a different way that I just
haven't needed to figure out yet.

So, I would argue that you really don't want to allow "frontline" logins
not so much for security reasons as for accountability reasons.

Thanks
	Chris Kottaridis    (chriskot at quietwind.net)