Re: Telnet root login

From: Barney Cordoba <barney_cordoba_at_yahoo.com> Date: Wed, 25 Mar 2009 16:51:23 -0700 (PDT) · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:45 UTC

--- On Wed, 3/25/09, Chuck Robey <chuckr_at_telenix.org> wrote:

> From: Chuck Robey <chuckr_at_telenix.org>
> Subject: Re: Telnet root login
> To: "Julian Elischer" <julian_at_elischer.org>
> Cc: barney_cordoba_at_yahoo.com, "Ruben de Groot" <mail25_at_bzerk.org>, "Ian FREISLICH" <ianf_at_clue.co.za>, current_at_freebsd.org
> Date: Wednesday, March 25, 2009, 7:45 PM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Julian Elischer wrote:
> > Ian FREISLICH wrote:
> >> Barney Cordoba wrote:
> >>>> Barney, you have to make the network
> pseudo ttys secure,
> >>>> like:
> >>>>
> >>>> ttyp0   none    network    secure
> >>>>
> >>>> Ruben
> >>> Yes, the "its not a good idea" is
> dependent on whatever other
> >>> security you have in place. Having to log in
> twice to a test
> >>> machine on a secure internal network is an
> unnecessary annoyance.
> >>> The concept that every FreeBSD box in
> existence is publically accessible
> >>> is one of those ASSumptions that people should
> leave at the door.
> >>>
> >>> Ruben, the method you cite no longer works in
> -current as they've
> >>> changed things once again (which happens way
> too often when your CEOs
> >>> are a bunch of bearded academics :)
> >>>
> >>> I'm not sure if its the pty (the login
> terminal shows as pty/0 and no
> >>> longer ttyp0), or if its some PAM thing. Its
> rather annoying.
> >>> Such things as
> >>> pty/0 none network secure
> >>> pty0 none network secure
> >>>
> >>> equally don't work. And I see no mention
> in any document as to how it
> >>> would be achieved with the current
> >>
> >> Then use ssh and set "PermitRootLogin
> yes" in /etc/ssh/sshd_config
> > 
> > this doesn't work if you are usinf a set of
> machines run from a central
> > machine using nc (netcat) to do scripted i/o through a
> telnet session on
> > the other machines (for example).
> > 
> > The advantage of telnet is you can pipe nc straight
> into it.
> 
> Julian, I don't know nc, but can't you stick keys
> in your ~/.ssh, then use ssh
> the same way?  Doing without passwords, but keeping your
> security, inside nc?  I
> think, at minimum, you could use ssh forwarding, but
> doesn't nc allow this
> directly?  I just hate the idea of killing all the
> security, and hadn't yet seen
> any (even wildly unlikely) scenario that needs you to do
> that.
> 
> I begin to suspect that there might be a whole lot of folks
> who aren't aware of
> how to use ssh to eliminate passwords.  Security writeups
> are always too
> complicated, that's a truism.

Another Truism: there are a whole lot of folks who are way 
too anally retentive for their own good.

Barney