Bug#129988: S/390: secure install with a password?
>>>>> "Stefan" == Stefan Gybas <gybas@trustsec.de> writes:
Stefan> I don't think asking for a password is more secure. Your
Stefan> tn3270 and telnet sessions are not encrypted so everybody on
Stefan> the net can sniff your password. IMHO setting a password only
Stefan> gives the false impresseion of a secure installation.
I disagree. If there is no password at all, *anybody* can access the
root account. If I'm setting up on a public machine (like I did
here), I have a problem.
Yes, a telnet password may be sniffed, but is far better that nothing
at all. At least we should document the problems with any choice we
make here.
Stefan> This means that we will have to add PAM again, making the
Stefan> initrd larger.
Not in any case. Maybe adding a *very* simple password check to login
(no need for encypted passwords for example), or a TCP-Wrapper to an
IP address may be helpful.
Stefan> Once ssh moves from non-US to main we might
Stefan> include it together with PAM into the initial RAM disk. This
Stefan> way your first connection can be encrypted and the password
Stefan> will not be transmitted in clear text when it's set in
Stefan> base-config.
This will be most desireable. But waiting for that shouldn't leave
any S/390 system accesible without password as root during the -
sometimes longer - installation.
Jochen
--
#include <~/.signature>: permission denied
Reply to: