Bugtraq mailing list archives

Re: RH Linux telnet problems

From: jal () THIRDAGE COM (Jamie Lawrence)
Date: Thu, 15 Apr 1999 16:27:33 -0700


At 03:30 AM 4/15/99 -0800, Rui Ribeiro wrote:

Today, when trying to log into a machine, I mistakenly used telnet over ssh.
True, the RH 5.2 box is configured for not allowing root login. The only
problem is that is still asks for the password after learning root is
logging. It denied access only after the password was introduced.

It should issue a error and not ask for the password, since otherwise it's
defeating the whole purpose of denying root telnet access. The purpose, of
course, it's preventing the raw transmission over the communication media.


Sniffing the wire is only part of the reason for disallowing
root login.

Other good reasons to make a user authenticate as a non privileged
user first:

 - Prevent remote brute force attacks on the root password

 - Provide more of an audit trail to attempted root logins

 - Require two password compromises instead of one.

I agree, though, that not asking for the password would be better.
I don't know of a telnet daemon that does this, however.

-j

Current thread:

Re: RH Linux telnet problems James, Samuel P (Apr 15)
- <Possible follow-ups>
- Re: RH Linux telnet problems Alessandro Rubini (Apr 15)
- Re: RH Linux telnet problems Dalvenjah FoxFire (Apr 15)
- Re: RH Linux telnet problems Jamie Lawrence (Apr 15)
- Re: RH Linux telnet problems John D. Hardin (Apr 15)