Re: Enabling telnet, ftp, pop3 for root...

matt_left_coast <not@xxxxxxxxxx> (06-04-06 02:16:38):

If you allow logging in directly as root, root can be hacked by someone
entering "root" as a user name.

.... and authenticating. Your fault, if you allow root login without
authentication. Or do you use passwords? Then it's your own fault, if
they get in.


Since root is a well known name, part of the process of hacking the
system is already done. All that is needed is to guess the root
password. If you dissallow direct root login, then the hacker must
guess a valid user AND the correct password for that user before they
can even get into the system.

In most cases, it's not that hard to guess valid usernames. Looking
over one's shoulders, capturing traffic, intercepting dialogues, asking
Google, whatever. And you didn't consider that many attackers are not
totally unknown persons. If someone wants to get to your system, then
he has a reason to do so, i.e. he already has some informations about
you.


They must then figure out how to get to root.

Logging into root directly via proper authentication mechanisms and
disallowing normal users to become root appears more secure to me.


Which is more secure? DISALLOWING DIRECT ROOT LOGIN.

Yes, for "system administrators" like you. I didn't know that there is
a Linux counterpart for 'MCSE'.


Also, if there is more than one admin, the su will log who used root
on the system and when. If you allow direct root login, then there is
no telling which of the admins was on the system when problems
started...

Since you only know about password authentication and that's the only
thing in the world, you _must_ even be an MCSE, being new to the Linux
world at all. I suggest you read about public key based
authentication. And yes, you can very well tell, who logged in.


That's a common and very unreasonable misconception.

As you can see, it is not even a misconception, much less a "very
unreasonable one". It is clear you are laboring under some missguided
concepts.

You don't even have a concept. See above.


Your statement holds for non-secure protocols (i.e. Telnet),

And for people logging into directly into consoles as well.

And for people using remote terminals like SSH. You are switching
context here. I'm talking about network security, but you're talking
about bubblegums.


but there you shouldn't even login as a normal user.

Well, I guess if you babble long enough, you'll get something right
just by random chance.

And you're just some angry MCSE, trying to show us how cool you are, and
that you have learned something. You are in the wrong place. Have a
look at comp.os.ms-windows.networking.windows.
.

Relevant Pages

  • Re: Logon Window Appears on siblings of authenticated directories
    ... Windows Auth, and a physical directory under root. ... authentication when my user identity was recognized on the machine -- which ... when virtual directories and authentication are ...
    (microsoft.public.inetserver.iis)
  • Re: Forms Authentication - Cookie not being generated...
    ... It was very interesting and I learnt plenty from just taking ... Never thought I could secure a directory from one root ... The login page is ... > access with Forms authentication so your login page (and all protected ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: [kde-linux] Problem logging in as non-root user [SOLVED]
    ... I installed KDE 3.5.6 and I am able to successfully launch the KDE session when I issue startx from a root session. ... while loading shared libraries: libICE.so.6: cannot open shared object ... failed Authentication Rejected, ... kdeinit: DCOPServer could not be started, ...
    (KDE)
  • Re: pubkey works for user: why not root ?
    ... AND to add the line "AllowUsers sean root" (multiple users can be allowed, ... debug1: Connection established. ... debug2: fd 3 setting O_NONBLOCK ... debug1: Next authentication method: publickey ...
    (SSH)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... if you allow root login without ... Where did I say ANYTHING about not using authentication. ... If you dissallow direct root login, ... The ssh account is only used for remote login. ...
    (alt.os.linux)