Re: Root login
Vincent Deffontaines <vincent@gryzor.com>:
> Marek Kubica a écrit :
> > On Thu, 4 Sep 2008 13:25:13 +0100
> > Pawe? Krzywicki <krzywicki.pawel@googlemail.com> wrote:
> >
> >>> the solution was as Cerbelle said. Login as a normal user and do
> >>> sudo ( or you can activate root login from the login menu; but i
> >>> personally consider it really dangerous!)
> >> I am wondering why this is dangerous?
> >> If your password is seen as "strong" "FaG34#fCFD12drtfdg" something
> >> like this for example why this is dangerous?
> >
> > The point is, that 1) not too many people use strong passwords 2)
> > having root access allowed makes it [easier] to break in, since the
> > username is known as it is always "root". User-accounts might be named
> > pawel, pawelk, krzywicki or be completely unknown for the attacker.
>
> Even though this principle is true, it seems to me it is not in
> application on every system.
>
> Try to login on any Lenny box console with an invalid account.
> You will get "Incorrect login" without being prompted for a
> password at all.
What? And you get a shell prompt?!?
> I tend to consider this as a quite bad bug, but it seems it has
> been so for a while in Lenny, and even in upstream PAM.
reportbug, search bugs.debian.org, ask in debian-mentors@lists.debian.org, ...
The "What?!?" was meant seriously. The closest I've come to running
Testing is Sidux which is Sid based, so I can't easily verify this. I
find it's difficult to believe that Lenny really does this, but what
do I know? Can anyone confirm?
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.
Reply to: