[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#129988: S/390: secure install with a password?

>>>>> "Stefan" == Stefan Gybas <gybas@trustsec.de> writes:

 Stefan> I don't think asking for a password is more secure. Your
 Stefan> tn3270 and telnet sessions are not encrypted so everybody on
 Stefan> the net can sniff your password. IMHO setting a password only
 Stefan> gives the false impresseion of a secure installation.

I disagree.  If there is no password at all, *anybody* can access the
root account.  If I'm setting up on a public machine (like I did
here), I have a problem.

Yes, a telnet password may be sniffed, but is far better that nothing
at all.  At least we should document the problems with any choice we
make here.

 Stefan> This means that we will have to add PAM again, making the
 Stefan> initrd larger.  

Not in any case.  Maybe adding a *very* simple password check to login
(no need for encypted passwords for example), or a TCP-Wrapper to an
IP address may be helpful.

 Stefan> Once ssh moves from non-US to main we might
 Stefan> include it together with PAM into the initial RAM disk. This
 Stefan> way your first connection can be encrypted and the password
 Stefan> will not be transmitted in clear text when it's set in
 Stefan> base-config.

This will be most desireable.  But waiting for that shouldn't leave
any S/390 system accesible without password as root during the -
sometimes longer - installation.

Jochen

-- 
#include <~/.signature>: permission denied
Reply to: