Bug#129988: S/390: secure install with a password?
Jochen Hein wrote:
[This is with the old boot-floppies, can't see if it is fixed.
Changelog says:
"- s390: don't modify etc/passwd on the initrd any longer"]
This has not been changed in the current boot-flopppies, the
modification to /etc/passwd is not necessary any longer because
/bin/login is a custon program that just spawns a shell. We save
over 300 KB this way because we can remove PAM from the initial
RAM disk.
After that, you telnet into the box and the first session starts the
rest of the install. Any other connect gives a root prompt without
asking for a password - so any user in your net may drop into the
system and screw up your installation.
I don't think asking for a password is more secure. Your tn3270 and
telnet sessions are not encrypted so everybody on the net can sniff
your password. IMHO setting a password only gives the false impresseion
of a secure installation.
Caiman asks for a new password and start inetd only after stat. I
think, that should be how it is done.
This means that we will have to add PAM again, making the initrd larger.
Once ssh moves from non-US to main we might include it together with
PAM into the initial RAM disk. This way your first connection can be
encrypted and the password will not be transmitted in clear text when
it's set in base-config.
--
Stefan Gybas
Reply to: