Re: How do you stop !root logins from dialup connections (fwd)

Per Hedeland (per@erix.ericsson.se)
Wed, 27 Sep 1995 00:44:00 +0100 (MET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Michael C. Nerone: "user.service patch and statis ip's"
Previous message: Michael C. Nerone: "Re: S10-19 not working on PM2ER-20"
Next in thread: Robert Hanson: "Re: How do you stop !root logins from dialup connections (fwd)"

>From: "Chris B. Wilson, VectorNet" <cbw@vector.net>

>Give it a real password?

Excuse me if I sound rude, but few of those that are concerned about
security, and have paid attention to the many incidents with password
sniffing etc during the last few years, consider reusable (as opposed to
one-time) passwords as a useful protection for much of anything these
days. If you can restrict their usability e.g. as with filters for
telnet access to the PortMaster, they might be acceptable, but on a
dialup line, no way. YMMV, of course, if all that is at stake is
someone's connect-time charges or less, you might not worry about this.

>From: Robert Hanson <roberth@cet.cet.com>

>why not make a secondary programable remote bangroot login... so we could
>call it anything we wished up to 8 chars.... just an idea anyways....

This effectively amounts to using a longer password, and doesn't alter
the fundamental problem, I think.

>From: "Brian 'MegaZone' Bikowicz" <megazone@livingston.com>

>Once upon a time Robert Hanson shaped the electrons to say...
>>logically i dont think that it is a good idea to eliminate as a
>>possibility, "the only way to get on a box, with admin privs" remotely
>>scenario.... so....
>
>Most likely it we be something so that if you raise dip switch one you can
>connect via S0 or something. Maybe it oculd be user selectable whether or
>not you can do it... It is something still being discussed.

I would certainly expect the current behaviour to remain available
(probably as the default even) - backwards compatibility and all that:-)
- what is needed is a way to turn it off. No big deal, just another
command that flips a bit in memory that is tested before allowing serial
port !root login (and ignored on S0 if the dip switch is up, or somesuch).
Or perhaps one bit per port even - not that I need it, but I can imagine
that it would be useful for some.

I have filed (through my local vendor) a formal Request For Enhancement
for this functionality, and I recommend everyone else that needs/wants
it to do the same - I don't think it is reasonable to expect Livingston
to keep counts of the wishes expressed here on the list...

--Per Hedeland
per@erix.ericsson.se

Next message: Michael C. Nerone: "user.service patch and statis ip's"
Previous message: Michael C. Nerone: "Re: S10-19 not working on PM2ER-20"
Next in thread: Robert Hanson: "Re: How do you stop !root logins from dialup connections (fwd)"