[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Disallowing remote root login

Subject: RE: [cobalt-users] Disallowing remote root login
From: <rpaiz@xxxxxxxxxxxxxx>
Date: Sun Mar 25 03:02:28 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> heh, go back and read more carefully -/ That page is based on
> RH 6 without PAM,PAM has direct support for a wheel group, trying
> to add group passwords manually is likely to subvert PAM..

gpasswd apparently only adds the user to the group. It also allows any
user in the group to be named the administrator for the group and to
have a password for changing group attributes. This sounds so like the
way the RaQs do things for siteadmins that I assumed (yeah, I know) the
RaQs would use the same command.

> > gpasswd -a xxxxx wheel
> > gpasswd -a yyyyy wheel
> > gpasswd -a zzzzz wheel
> >
> > to add the xxxxx, yyyyy, and zzzzz users to the group wheel, whose
> > members are the only ones who should be able to su to root. I added
> > three highly-trusted users in case I forget my password or my plane
> > crashes (much more likely). Then I did:
>
> So now instead of one password to guess, they get to try for
> any of 4, you just reduced the strength to 25% ;) This is the
> inherent problem with wheel groups...

Why? su still requires me to enter the root password. So now someone has
to guess one of the other three passwords *and* the root password.

> This is almost certainly going to interact badly with the GUI and
> background daemons which use su ...

Maybe. This is the kind of thing that I'm trying to find out by asking
the question. However, it seems like I would only have to add the GUI
user to the wheel group too, no?

> At a minimumm they are going to be setting group ownership wrong...
> Many things in linux will get unhappy if user is
> unpriviladged and group is...

This only refers to changing the ownership of the /bin/su binary, so
that only certain people can execute that. Once you become root, it does
not affect you at all. These worries are unfounded.

> but they are not root logins anymore, now they are wheel
> group/user logins with root privilages ;)

See above... su still requires entering root password.

>   vc  - virtual console - eg the physical keybaord/display
>   tty - terminal interface to a device (eg serial or network
> connection)
>   pty - pseudo-tty looks like a tty to the program, but is really
>         connected to another program (eg to sshd)
>
>   trying to restrict root logins on pty's will probably cause really
>   interesting (bad) things to happen -/

Only vc and tty entries were in my default securetty file, and I've
concluded that none should be deleted.

> root is already restricted by default, ssh is special, if
> you don't want ssh to allow root logins tell it, it has a
> config line for that...

Yeah, I found it later and so did Clark Morgan.

> I'm not really certain what you are trying to do here...

Trying to make it as hard as possible to crack the server in every
possible way I can think of... :)

--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx <mailto:rpaiz@xxxxxxxxxxxxxx>

Follow-Ups:
- RE: [cobalt-users] Disallowing remote root login
  - From: flash22

References:
- Re: [cobalt-users] Disallowing remote root login
  - From: flash22

Prev by Date: Re: [cobalt-users] Cobalt Questions (newbie)
Next by Date: RE: [cobalt-users] Mail list are for learning [Was: Customize 404 Error]
Previous by thread: Re: [cobalt-users] Disallowing remote root login
Next by thread: RE: [cobalt-users] Disallowing remote root login

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index