Subject: Re: package manager woes II
To: Dr. Bill Studenmund <wrstuden@loki.stanford.edu>
From: Kevin Ogden <kkb@ddw.net>
List: port-mac68k
Date: 06/17/1998 16:44:57
>This will work, but I STRONGLY recomend you don't. Log in as yourself, and
>then su to root. That way you have an audit trail.
>
>Unless you're logging in via a small, secure network (like an in-house
>ethernet), DON'T type root's password over the network. Whenever you log
>in with telnet, everything you type, such as root's password when you log
>in, or if you su, goes as clear-text. There are quite a few packages out
>there which will happily spy on your password, and save it to  a file so
>that a cracker can get your root password.

It is a bad idea but it does work, I myself just use su.

>Either use kerberos, or use ssh. You can get ssh for free for unix, and
>there's already a package for it in /usr/pkgsrc. :-)

I haven't screwed around with ssh yet (I might soon).  I do use Kerberos
though.

>Even if there's nothing to steal on your computer, you need to be careful.
>Your computer could become the springboard for another attack.

I'm usually over paranoid, my serial terminals aren't even marked secure.

>One of the Linux boxes was broken into a few weeks ago, and the person
>started querrying machines on the internet to see who was running an old,
>insecure verion of BIND. We yanked the computer from the net when the
>campus security folks said the Navy had phoned them inquiring about the
>problem. :-)

That could potentially suck hehe  

>> >pico and joe don't seem to refresh the screen properly while editing 
>> >text. 
>> 
>> make sure you have your console set as vt220, or the appropriate terminal
>> type for your serial terminal/telnet.
>
>I've found vt100 seems to work better for me with dt. YMMV.

I normally don't run dt though but you are right.

>
>The only remote logins I see are ones involving root, or someone su'ing to
>root.
>
>root's not supposed to be the every-day usage account. root's for fixing
>(/breaking) things. Whomever's at the console should know when someone's
>gaining root access.
>

I have mine set up to write everything to a file then I run tail -f
/var/log/messages > /dev/<print device>
/var/log/messages is my logfile, and when tail sees another line at the end
of the file it gets printed on this cheesy dot matrix I've got.  Pretty
soon I'm going to have all the machines send their logs to this machine and
it will print them too.  That's going to require some creative work
probably.  (the box the printer is on runs NetBSD/i386, not mac68k, on the
mac it all goes to console for now and the alphas run DEC UNIX)

	Kevin