RE: root login?

Alexander.vanLuijpen@nym.sc.philips.com
Mon, 8 Mar 1999 09:35:35 +0100


In this case I wonder about the following .... is X(DM) more secure ? ...
using XDMCP I can log in from any machine as root from my network. I know I
can modify the Xaccess file to allow only connections from certain hosts,
but I think this disables the general XDM login (for all users) ... can I
also disallow root from using XDM (perhaps only from a secure workstation ?)

> -----Original Message-----
> From: Mark Hahn [SMTP:hahn@coffee.psychology.mcmaster.ca]
> Sent: Saturday, March 06, 1999 6:24 PM
> To: linux-net@vger.rutgers.edu
> Subject: Re: root login?
>
> > > It is for security reason, you can't connect directly by root, only
> > > with su.
> >
> > > > I use win95's telnet connect to RedHat Linux (kernel 2.0.33).
> > > >I can not login using the name 'root'(of course I give the right
> > > >password), but I can login using another name(such as 'guest')
> > > >and 'su' to root. Why? thanks!
>
> the explanation given omits the important reason: telnet is INSECURE.
> you MUST NEVER telnet (or ftp or rlogin) as root, unless you have some
> reason to believe your net is really, really free of sniffers. the issue,
> of course, is that the password is transmitted in the clear, and therefore
> trivial to sniff. most competent admins use ssh these days. there are
> a few other secure login systems, but most are more obscure or difficult
> to admin (ie, kerberos).
>
> > To expand slightly on the above answer: if you log in as root nobody
> > else can know who logged in as root. It is true that if you can log
>
> this may be an issue for you; it certainly isn't a general one.
>
> > A secure system will have a 'wheel' group. su will have group
>
> this is also not universally true. it's a nice trick, but not necessary.
>
> > Therefore, even a person who has managed to snoop the root password
> > will not be able to su or log in as root without obtaining direct
>
> uh, a sniffer will work just as well when you when you telnet/rlogin
> as wheel, then su to root.
>
>
Vriendelijke Groeten / Kind Regards,

Alexander van Luijpen

Philips Semiconductors Nederland
Test and Product Engineering
MOS4YOU - C075 OTP / Consumer Systems Nijmegen - BL Video

email: Alexander.vanLuijpen@nym.sc.philips.com email:
vluijpen@cistron.nl
tel: (+31)-24-353 4639
tel: (+31)-24-378 9475

>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu