[CLUE-Tech] rlogin and telnet are insecure at best

[Randolph Cordell]

Has CLUE talked about telnet and rlogin being EXTREMELY INSECURE?  I
definately would NOT be giving out addresses let alone passwords and talking
about using them to admin anything!!!!  The choice should be ssh, scp etc...
Specifically, I can watch your telnet session with a simple tool like sniffer
and tell you your password and everything you did.  All data is transmitted
in clear text with telnet.

To answer your question, the root account is specifically denied access to
any pseudo terminals (e.g. telnet), on purpose (and changing that is a very
BAD idea), but where it is controlled at is the /etc/securetty file.  The
terminals listed there are the only ones root is allowed to login on.  If you
wanted to telnet in as root you would have to add pst/x where x is the pseudo
terminal you wanted to use.  

rlogin is a whole 'nuther story...it will try to use Kerberos for
authentication (which is good) but failing FINDING Kerberos to authenticate
with it drops down to lower authentication methods (which is bad) and can be
configured for all kinds of ugly things like "host_x can always login WITHOUT
a password, no matter who the user is..."  or "user_x can always login
WITHOUT a password, no matter what the host is"  etc...

Randy

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices. 
http://auctions.yahoo.com/