Hi,

Comment CONSOLE on /etc/default/login disable telnet access for all users.
Is-it true ?
=======================
modify /etc/default/login
comment out the following line
#CONSOLE=/dev/console
=======================

How can i disable telnet for root. I need telnet server with a normal
account and then run su.

Is-it possible to deny telnet for root and enable rlogin for root by using
..rhosts ou host.equiv... ?

ThankYou very much

Best Regards
NS

ns wrote:
> Hi,
> 
> Comment CONSOLE on /etc/default/login disable telnet access for all users.
> Is-it true ?
> =======================
> modify /etc/default/login
> comment out the following line
> #CONSOLE=/dev/console
> =======================
> 
> How can i disable telnet for root. I need telnet server with a normal
> account and then run su.
> 
> Is-it possible to deny telnet for root and enable rlogin for root by using
> .rhosts ou host.equiv... ?
> 
> ThankYou very much
> 
> Best Regards
> NS

It's been a while since I have had to deal with this, but as I recall,
removing the comment character will disable all direct root logins,
except from the console. All users, telnet and rlogin, will be required
to log in as a normal user and then use "su".

I do believe that the ".rhosts" is usable, once you have logged in as
a normal user. Someone else may need to correct me on that. If you do
use a ".rhosts" file, at least make sure the permissions are set to
rw for owner only. This helps prevent normal users from finding out
who has root access.

Martin
-- 
Martin E. Meserve - K7MEM
http://www.k7mem.com

On Tue, 7 Dec 2004, ns wrote:

> Comment CONSOLE on /etc/default/login disable telnet access for all users.
> Is-it true ?
> =======================
> modify /etc/default/login
> comment out the following line
> #CONSOLE=/dev/console
> =======================

No, it only affects incoming root telnet sessions.

> How can i disable telnet for root. I need telnet server with a normal
> account and then run su.

It's disabled by default.  Better yet, disable telnet altogether and
use ssh.

> Is-it possible to deny telnet for root and enable rlogin for root by using
> .rhosts ou host.equiv... ?

Insecure.  Use ssh.

-- 
Rich Teer, SCNA, SCSA, author of "Solaris Systems Programming"

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-group.com/rich

On Tue, 07 Dec 2004 19:31:29 +0000, Rich Teer wrote:

>> Is-it possible to deny telnet for root and enable rlogin for root by using
>> .rhosts ou host.equiv... ?
> 
> Insecure.  Use ssh.

But it appears necessary for remote backup to tape.

Dave Uhring wrote:
> On Tue, 07 Dec 2004 19:31:29 +0000, Rich Teer wrote:
> 
> 
>>>Is-it possible to deny telnet for root and enable rlogin for root by using
>>>.rhosts ou host.equiv... ?
>>
>>Insecure.  Use ssh.
> 
> 
> But it appears necessary for remote backup to tape.
> 

You needn't (and shouldn't) do backups as root anyhow.  Use an account 
whose basegroup is 'sys' and it should be able to read the devices to 
back them up.  Admittedly,  I just learnt this recently as well.

In that case, I would use TCP wrappers to ensure that connections via 
rsh/etc were only allowed from the backup server.



-- 
Coy Hile
hile@cse.psu.edu

On Tue, 07 Dec 2004 15:53:52 -0500, Coy Hile wrote:

> You needn't (and shouldn't) do backups as root anyhow.  Use an account 
> whose basegroup is 'sys' and it should be able to read the devices to 
> back them up.  Admittedly,  I just learnt this recently as well.

Hmmm, it appears that even that type account is not necessary. 
/dev/rmt/0cn has perms 666.

Dave Uhring wrote:
> On Tue, 07 Dec 2004 15:53:52 -0500, Coy Hile wrote:
> 
> 
>>You needn't (and shouldn't) do backups as root anyhow.  Use an account 
>>whose basegroup is 'sys' and it should be able to read the devices to 
>>back them up.  Admittedly,  I just learnt this recently as well.
> 
> 
> Hmmm, it appears that even that type account is not necessary. 
> /dev/rmt/0cn has perms 666.
> 

The group sys membership is so that the it may read the disk block 
devices.  Those have perms 640 and are owned by group sys.

-- 
Coy Hile
hile@cse.psu.edu

On Tue, 07 Dec 2004 16:52:19 -0500, Coy Hile wrote:

> The group sys membership is so that the it may read the disk block 
> devices.  Those have perms 640 and are owned by group sys.

Indeed, you are correct.

Many thanks for your help

NS

In article <pan.2004.12.07.20.49.06.528386@yahoo.com>,
Dave Uhring  <daveuhring@yahoo.com> wrote:
>But it appears necessary for remote backup to tape.

Joerg Schilling's star and rmt appear to work with ssh.

John
groenveld@acm.org

On Thu, 09 Dec 2004 22:14:51 +0000, John D Groenveld wrote:

> In article <pan.2004.12.07.20.49.06.528386@yahoo.com>,
> Dave Uhring  <daveuhring@yahoo.com> wrote:
>>But it appears necessary for remote backup to tape.
> 
> Joerg Schilling's star and rmt appear to work with ssh.

I had ufsdump in mind.  Coy Hile clarified that users in the group sys had
read permissions on the raw disk devices, and I had never looked at the
perms in /devices previously.

In article <pan.2004.12.09.22.22.22.377814@yahoo.com>,
Dave Uhring  <daveuhring@yahoo.com> wrote:
>On Thu, 09 Dec 2004 22:14:51 +0000, John D Groenveld wrote:
>
>> In article <pan.2004.12.07.20.49.06.528386@yahoo.com>,
>> Dave Uhring  <daveuhring@yahoo.com> wrote:
>>>But it appears necessary for remote backup to tape.
>> 
>> Joerg Schilling's star and rmt appear to work with ssh.
>
>I had ufsdump in mind.  Coy Hile clarified that users in the group sys had
>read permissions on the raw disk devices, and I had never looked at the
>perms in /devices previously.

Take the ufsdump sources and replace Sun's rmt client by star's rmt client
code. In a few months you will be able to do this.....




-- 
EMail:joerg@schily.isdn.cs.tu-berlin.de (home) J�rg Schilling D-13353 Berlin
      js@cs.tu-berlin.de		(uni)  If you don't have iso-8859-1
      schilling@fokus.fraunhofer.de	(work) chars I am J"org Schilling
URL:  http://www.fokus.fraunhofer.de/usr/schilling ftp://ftp.berlios.de/pub/schily

On Thu, 09 Dec 2004 22:33:31 +0000, Joerg Schilling wrote:

> Take the ufsdump sources and replace Sun's rmt client by star's rmt client
> code. In a few months you will be able to do this.....

Thanks J�rg.  I prefer to use system utilities where possible.  The next
Solaris system I work on may not have star available but it will have
ufsdump.

In article <pan.2004.12.09.23.03.43.218378@yahoo.com>,
Dave Uhring  <daveuhring@yahoo.com> wrote:
>On Thu, 09 Dec 2004 22:33:31 +0000, Joerg Schilling wrote:
>
>> Take the ufsdump sources and replace Sun's rmt client by star's rmt client
>> code. In a few months you will be able to do this.....
>
>Thanks J�rg.  I prefer to use system utilities where possible.  The next
>Solaris system I work on may not have star available but it will have
>ufsdump.

The next Solaris version you use may have star as well as a ufsdump version
that links to the rmt client from star.

-- 
EMail:joerg@schily.isdn.cs.tu-berlin.de (home) J�rg Schilling D-13353 Berlin
      js@cs.tu-berlin.de		(uni)  If you don't have iso-8859-1
      schilling@fokus.fraunhofer.de	(work) chars I am J"org Schilling
URL:  http://www.fokus.fraunhofer.de/usr/schilling ftp://ftp.berlios.de/pub/schily

On Thu, 09 Dec 2004 23:07:26 +0000, Joerg Schilling wrote:

> The next Solaris version you use may have star as well as a ufsdump version
> that links to the rmt client from star.

I really dislike enabling rsh and rexec.  That would be a great
improvement.

In article <pan.2004.12.09.23.19.00.601508@yahoo.com>,
Dave Uhring  <daveuhring@yahoo.com> wrote:
>On Thu, 09 Dec 2004 23:07:26 +0000, Joerg Schilling wrote:
>
>> The next Solaris version you use may have star as well as a ufsdump version
>> that links to the rmt client from star.
>
>I really dislike enabling rsh and rexec.  That would be a great
>improvement.

Definitely not for S 10, but stay tuned ;-)


Of course, you nmeed to know that you will get much less performance this way.

BTW: you cannot backup ZFS with ufsdump, so star may be the best choice
for backups soon.



-- 
EMail:joerg@schily.isdn.cs.tu-berlin.de (home) J�rg Schilling D-13353 Berlin
      js@cs.tu-berlin.de		(uni)  If you don't have iso-8859-1
      schilling@fokus.fraunhofer.de	(work) chars I am J"org Schilling
URL:  http://www.fokus.fraunhofer.de/usr/schilling ftp://ftp.berlios.de/pub/schily

On Thu, 09 Dec 2004 23:22:47 +0000, Joerg Schilling wrote:

> Definitely not for S 10, but stay tuned ;-)

Keep trying.  I used your cdrtools just today to produce a CD-R with some
Windows apps for our customers, hoping to get them away from Microsfot's
malware.

> Of course, you nmeed to know that you will get much less performance this way.

Actually my experience with scp, while never rigorously tested, indicates
that it works almost as fast as ftp or nfs cp.

> BTW: you cannot backup ZFS with ufsdump, so star may be the best choice
> for backups soon.

ZFS is not here yet :-)

Dave Uhring wrote:
> On Thu, 09 Dec 2004 22:14:51 +0000, John D Groenveld wrote:
> 
> 
>>In article <pan.2004.12.07.20.49.06.528386@yahoo.com>,
>>Dave Uhring  <daveuhring@yahoo.com> wrote:
>>
>>>But it appears necessary for remote backup to tape.
>>
>>Joerg Schilling's star and rmt appear to work with ssh.
> 
> 
> I had ufsdump in mind.  Coy Hile clarified that users in the group sys had
> read permissions on the raw disk devices, and I had never looked at the
> perms in /devices previously.
> 

I actually learnt that from one of the articles on Rich's site. 
Thanks Rich :)



-- 
Coy Hile
hile@cse.psu.edu

On Fri, 10 Dec 2004, Coy Hile wrote:

> I actually learnt that from one of the articles on Rich's site.
> Thanks Rich :)

<Eddie, the shipboard computer>
	It was a real pleasure, fellaa!  (Ticker tape, ticker tape.)
</Eddie, the shipboard computer>

-- 
Rich Teer, SCNA, SCSA, author of "Solaris Systems Programming"

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-group.com/rich