Re: Telnet root login

--- On Wed, 3/25/09, Ruben de Groot <mail25_at_bzerk.org> wrote:

> From: Ruben de Groot <mail25_at_bzerk.org>
> Subject: Re: Telnet root login
> To: "Chuck Robey" <chuckr_at_telenix.org>
> Cc: barney_cordoba_at_yahoo.com, current_at_freebsd.org
> Date: Wednesday, March 25, 2009, 5:53 AM
> On Tue, Mar 24, 2009 at 08:56:28PM -0400, Chuck Robey typed:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Barney Cordoba wrote:
> > > How do you enable root telnet access in current?
> I remember having some
> > > issue with specifying pty/0 in ttys years ago in
> linux but the right
> > > way to do it excapes me.
> > 
> > I really wouldn't do that.  If you have to get
> external root access, use ssh,
> > but if you haven't been broken into yourself,
> it's FAR more likely that you just
> > haven't seen it, than it hasn't happened.  You
> don't want to allow folks into
> > your machine, there isn't any such thing as honor
> among those folks.
> 
> Sound advice, but not an answer to his question.
> Barney, you have to make the network pseudo ttys secure,
> like:
> 
> ttyp0   none    network    secure
> 
> Ruben

Yes, the "its not a good idea" is dependent on whatever other
security you have in place. Having to log in twice to a test
machine on a secure internal network is an unnecessary annoyance.
The concept that every FreeBSD box in existence is publically accessible
is one of those ASSumptions that people should leave at the door.

Ruben, the method you cite no longer works in -current as they've 
changed things once again (which happens way too often when your CEOs 
are a bunch of bearded academics :)

I'm not sure if its the pty (the login terminal shows as pty/0 and 
no longer ttyp0), or if its some PAM thing. Its rather annoying.
Such things as 

pty/0 none network secure
pty0 none network secure

equally don't work. And I see no mention in any document as to how it
would be achieved with the current

Barney