|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [suse-security] /etc/sshd_config wize to change
From: Roman Drahtmueller (draht
uni-freiburg.de)Date: Mon Apr 10 2000 - 17:49:54 CDT
- Next message: Joop Boonen: "Re: [suse-security] /etc/sshd_config wize to change"
- Previous message: Simon Lodal: "Re: [suse-security] /etc/sshd_config wize to change"
- In reply to: Simon Lodal: "Re: [suse-security] /etc/sshd_config wize to change"
- Next in thread: Joop Boonen: "Re: [suse-security] /etc/sshd_config wize to change"
- Reply: Roman Drahtmueller: "Re: [suse-security] /etc/sshd_config wize to change"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> What is confusing is the rc.config setting ROOT_LOGIN_REMOTE. It only
> covers telnet, which no sane security minded person would use anyway.
> The comments does not indicate this however, so one might think that
> no remote login was possible at all when this is set to "no", very
> ufortunate!
>
> It would seem logical to let ROOT_LOGIN_REMOTE affect all kinds of
> remote shells, if possible, or at least put a comment on it that it
> only affects telnet.
>
> Regards,
>
> Simon Lodal
You're right, the fact deserves at least a comment in /etc/rc.config.
But if you claim that a password authentication scheme is insecure even if
protected communication channels (console, ssh, ...) are being used, then
why would you use password authentication methods in the first place?
(Passwords are useless if you don't honor the secret they provide.)
ROOT_LOGIN_REMOTE is window-dressing anyway, unless you decline logins of
ordinary users as well. The use of `su -' succeeding a login using a
plaintext protocol and password authentication is even worse, revealing
_two_ passwords. (I wonder who do we protect ourselves against...) From
this standpoint, it might make sense to abolish the ROOT_LOGIN_REMOTE
mimics completely and replace it with a general ALLOW_LOGIN_REMOTE and/or
PLAINTEXT_LOGIN_REMOTE, effectual for all users of the system in question
by disabling all unencrypted login options.
To me, this approach is more modern than the other ones. Again, taste may
vary...
There still remains the legal problem with cryptography in some countries.
But interesting legislative development is in sight...
Roman.
-- _ _ | Roman Drahtmüller "Freedom means that you can choose | CC University of Freiburg what you want to learn at a given | email: draht--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe
- Next message: Joop Boonen: "Re: [suse-security] /etc/sshd_config wize to change"
- Previous message: Simon Lodal: "Re: [suse-security] /etc/sshd_config wize to change"
- In reply to: Simon Lodal: "Re: [suse-security] /etc/sshd_config wize to change"
- Next in thread: Joop Boonen: "Re: [suse-security] /etc/sshd_config wize to change"
- Reply: Roman Drahtmueller: "Re: [suse-security] /etc/sshd_config wize to change"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]