Subject: Re: why no telnet for root?
To: Johan Danielsson <joda@pdc.kth.se>
From: Colin Wood <ender@is.rice.edu>
List: port-mac68k
Date: 08/21/1996 16:04:09
> > This is not allowed as it is a security risk to let root log in from
> > an unsecure terminal.
>
> And the obvoius question is of course then: why is su-ing considered a
> more secure way of logging in? In both situations you are passing the
> root-password in the clear. (I assume that you aren't using Kerberos
> or something similar).
Actually, I wouldn't want to su over a network terminal, normally. The
way the sysadmins here at Rice do it (and they are pretty damn paranoid)
is to always log into a local machine on console and then run Kerberos
before logging in to any other machines. We've just recently set up ssh
(Secure Shell) as well as Kerberos, and this is how I would recommend
connecting to a machine before issuing an su command. That way, the
entire session is encrypted, not just the passwd authentication. It's
remarkably easy to use, and I like it a lot. However, I would recommend
against doing RSAAuthentication only on a MacBSD machine due to the time
factor: it took me a full minute to log into puma.macbsd.com the other
night this way. Also, generating a full key set can take quite a while
unless you machine is damn fast (my IIci w/ 50MHz accelerator took about
5 minutes to do a ssh-keygen, but puma, a IIcx, took about 20 minutes or
so). Oh well...
> When you su you leave a trace in the syslog, so for this reason I can
> agree that it is better.
Yes, this is a rather nice feature...gotta keep track of root, don't we ;-)
Later.
--
Colin Wood ender@is.rice.edu
Consultant Rice University
Information Technology Services Houston, TX