That's basically what we used to do. -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of A.Fadyushin@xxxxxxxxxxxx Sent: Wednesday, August 30, 2006 1:21 PM To: redhat-list@xxxxxxxxxx Subject: RE: Permit root login for telnet.. Of course, if you are using unencrypted FTP as the user having read only privileges to the information which does not need to be kept in secret, it is will not do damage (except that the massive downloading of tarballs by somebody who sniffed the password may cause the network/server overload). You generally could not limit the user who logged via telnet to be a 'read-only' user. Usually, such a user (especially with a sniffed root password will be able to do with a machine whatever him want. However, if you use the telnet only to completely reinstall the system on computers every day and will use the new telnet password each day it will not be a great security problem. Also you can stop the telnet servers on the computers as the last step of the installation procedure to prevent later use of the possibly sniffed password. Alexey Fadyushin. Brainbench MVP for Linux. http://www.brainbench.com > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > bounces@xxxxxxxxxx] On Behalf Of Burke, Thomas G. > Sent: Tuesday, August 29, 2006 7:28 PM > To: General Red Hat Linux discussion list > Subject: RE: Permit root login for telnet.. > > I have found instances where a program is written to send scripts back & > forth through the terminal, but can't do the encryption itself. > > For instance, if you were only using it to run a set-up script on a > brand new computer, you'd do a minimal install (or use a boot disk), and > then have a little program telnet in & choose appropriate packages for > the machine based on certain characteristics. > > I used to do this all the time in the DOS/Windows world - a machine got > a custom load, depending on what it needed. It logged in as a user that > had only read priviledges on the server, so if somebody did manage to > sniff it (while I was alone in the labs), no damage could be done other > thaqn downloading tarballs. > > I did this all in clear-text passwords over telnet & ftp. Of course, I > usually only did it late at night or early in the morning when no one > was in the labs (and I had keys to the doors). > > Doing this simplified life for me greatly. After a while, we figured > out how to do this every night, to ensure we wiped out virii & so forth > that (l)users had gotten onto the machines & so forth - basically > reformatting every drive every night and reinstalling the complete > loadset. We could reload 100 computers in the course of about 2 hours. > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of > A.Fadyushin@xxxxxxxxxxxx > Sent: Tuesday, August 29, 2006 10:51 AM > To: redhat-list@xxxxxxxxxx > Subject: RE: Permit root login for telnet.. > > Actually, the situation is slightly better because the user would need > some privileges to run a sniffer (at least in Linux). So, if nobody > could attach his own computer directly to the network where the > passwords are (or potentially could, for example due to the routing > changes) sent and all users with the appropriate privileges on already > attached computers are trusted (for example, them already know the > passwords of the users who will use telnet) there should be no problem > as long as these conditions exist. However, most probably, these > conditions would not be fulfilled in reality and the passwords sent via > telnet would be compromised. > It is much better to use SSH because it will send all information > (including passwords) in encrypted form only. Every task which can be > done with telnet can be done with SSH also. > > Alexey Fadyushin > Brainbench MVP for Linux. > http://www.brainbench.com > > > -----Original Message----- > > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > bounces@xxxxxxxxxx] On Behalf Of Burke, Thomas G. > > Sent: Friday, August 25, 2006 11:02 PM > > To: General Red Hat Linux discussion list > > Subject: RE: Permit root login for telnet.. > > > > Shekhar, > > > > I don't remember how to turn on telnet. > > > > That said, *ANY* comuter that can access the netowrk this server > is > > on can be used to sniff a clear-text password sent through telnet. > I > > understand that in your specific case, this may be OK, but are you > > absolutely sure that *every* employee accessing one of these computers > > > can be trusted not to set up a sniffer? And any future employees? > > There is no point in having a server if no one's computer can access > it. > > > > -----Original Message----- > > From: redhat-list-bounces@xxxxxxxxxx > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Shekhar Dhotre > > Sent: Friday, August 25, 2006 2:53 PM > > To: General Red Hat Linux discussion list > > Subject: RE: Permit root login for telnet.. > > > > Bank of China - Shanghai . > > > > -----Original Message----- > > From: redhat-list-bounces@xxxxxxxxxx > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Steve Rieger > > Sent: Friday, August 25, 2006 1:15 PM > > To: General Red Hat Linux discussion list > > Cc: Bliss, Aaron > > Subject: Re: Permit root login for telnet.. > > > > i would like to know what bank you work for, am gonna make sure to > close > > > > any account i have there. > > > > > > > > sorry for the top post. > > > > > > Shekhar Dhotre wrote: > > > OK , no one has access to network room here than Coms guys . Even I > > > cannot go in as I am in Unix/Storages group. Our comm. guys are not > > > interested in checking our passwords. > > > > > > Also they have access to most of the prod switches, so they are > > trusted > > > by the business. Again not a risk . > > > > > > -----Original Message----- > > > From: Bliss, Aaron [mailto:ABliss@xxxxxxxxxxxxxxxxx] > > > Sent: Friday, August 25, 2006 9:44 AM > > > To: Shekhar Dhotre; General Red Hat Linux discussion list > > > Subject: RE: Permit root login for telnet.. > > > > > > Sure, just turn on ethereal, plug into the span port on the switch. > > > Very straight forward; there are even software based packet sniffers > > > > than can sniff past switches. > > > > > > Aaron > > > > > > -----Original Message----- > > > From: Shekhar Dhotre [mailto:sdhotre@xxxxxxxxxxxx] > > > Sent: Friday, August 25, 2006 9:25 AM > > > To: Bliss, Aaron; General Red Hat Linux discussion list > > > Subject: RE: Permit root login for telnet.. > > > > > > Again that's all good . But, can you tell me how to see password of > > > other sysadmin if he is accessing system via telnet? > > > > > > -----Original Message----- > > > From: Bliss, Aaron [mailto:ABliss@xxxxxxxxxxxxxxxxx] > > > Sent: Friday, August 25, 2006 9:22 AM > > > To: Bliss, Aaron; Shekhar Dhotre; General Red Hat Linux discussion > > list > > > Subject: RE: Permit root login for telnet.. > > > > > > Telnet is also vulnerable to man in the middle attacks and ssh > offers > > > post authentication; telnet does not. > > > > > > Aaron > > > > > > -----Original Message----- > > > From: redhat-list-bounces@xxxxxxxxxx > > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Bliss, Aaron > > > Sent: Friday, August 25, 2006 9:13 AM > > > To: Shekhar Dhotre; General Red Hat Linux discussion list > > > Subject: RE: Permit root login for telnet.. > > > > > > Telent is a clear text protocol; ssh isn't. > > > > > > -----Original Message----- > > > From: redhat-list-bounces@xxxxxxxxxx > > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Shekhar Dhotre > > > Sent: Friday, August 25, 2006 9:11 AM > > > To: General Red Hat Linux discussion list > > > Subject: RE: Permit root login for telnet.. > > > > > > I have used telnet before ssh came in to the market . Do you know > how > > to > > > hack telnet ? or break a root password without having physical > access > > to > > > the system ? most likely the answer will be - NO .. so what's the > big > > > deal in ssh vs. telnet ? > > > > > > -----Original Message----- > > > From: redhat-list-bounces@xxxxxxxxxx > > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Greg Golin > > > Sent: Friday, August 25, 2006 2:12 AM > > > To: General Red Hat Linux discussion list > > > Subject: Re: Permit root login for telnet.. > > > > > > Dear Arun, > > > > > > You do NOT want to enable root login via telnet - trust me on this > > > one. Please tell the list what you are trying to accomplish - 99.9% > > > chance is that whatever you are trying to do can, and should be done > > > > via ssh. > > > > > > Kind Regards, > > > Gregory Golin > > > Systems Admin > > > > > > On 8/24/06, Arun Williams <perks_williams@xxxxxxxxxxx> wrote: > > > > > >> How can i enable root login for telnet.... > > >> > > >> I tried editing /etc/pam.d/login .... but no use > > >> > > >> > > >> ____________________________ > > >> Regards > > >> A.Williams > > >> IN THIS WORLD FULL OF DREAMS AND IMAGINATION, LOOK FOR > > >> > > > POSSIBILITIES... > > > > > >> > > >> > > >> --------------------------------- Here's a new way to find what > > >> you're looking for - Yahoo! Answers > > >> Send FREE SMS to your friend's mobile from Yahoo! Messenger Version > > >> > > > 8. Get it NOW > > > > > >> -- > > >> redhat-list mailing list > > >> unsubscribe > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > >> https://www.redhat.com/mailman/listinfo/redhat-list > > >> > > >> > > > > > > > > > > > > -- > > -- > > eats the blues for breakfast, > > does unix for rent, > > plays harp for food, > > will play the flute for kicks > > rides for the freedom > > scrapes for thechallenge > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list