TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:10372] telnet over network



On Mon, Nov 22, 1999 at 09:49:27PM -0600, Karl Morgan wrote:
> 
> And I stand by that statement, but you are right. Login isn't
> responsible for this function anymore. I did a quick check and it is
> pam that is looking in /etc/securetty from the pam_securetty
> module. And the effect is the same, if you move /etc/securetty out of
> the way, root can login on any tty.

	I agree that it'll work, but I think it's better just to tell
pam to not pay attention to the securetty file rather than to change its
name so it can't be found.

	Like I said, maybe something other than pam pays attention to
the securetty file, and that could have painful, surprising consequences
later.  The man page for the securetty file hasn't been updated since
December of 1992.

	It's much more precise and to the point to change the pam file
for 'login'.  It says "I don't want login to care if I'm on a securetty
or not", which is exactly what you want to say.  Moving the securetty
file is saying 'All of my ttys are secure', which isn't that same thing
at all.

	Sorry to be a pain about it, but these kinds of decisions can
have big consequences down the line, and the best time to start doing it
right is right at the beginning.  Less things to fix later that way.
Yeah, moving securetty back is an easy thing to do, but the problem is,
when do you do it?  Obviously when you want to disallow root telnets,
but how about if you're experiencing some weird, inexplicable problem or
security hole.  It isn't so obvious then.

Have fun (if at all possible),
-- 
Its name is Public Opinion.  It is held in reverence. It settles everything.
Some think it is the voice of God.  Loyalty to petrified opinion never yet
broke a chain or freed a human soul.     ---Mark Twain
-- Eric Hopper (hopper@omnifarious.mn.org
                http://ehopper-host105.dsl.visi.com/~hopper) --

PGP signature