On Wed, May 16, 2001 at 01:08:00AM +0200, Achim Bohnet wrote: > On Wednesday 16 May 2001 00:35, Jens Benecke wrote: > > On Tue, May 15, 2001 at 10:48:11PM +0200, Achim Bohnet wrote: > > > On Tuesday 15 May 2001 22:16, Burkhard Perkens-Golomb wrote: > > > > During upgrade a warning appears that X starts now with "-nolisten > > > > tcp" :-) . See /etc/X11/kdm/Xservers, delete "-nolisten tcp". > > > No please don't delete it (without a good reason). The problem can > > > be solved in two other ways without any security loss. a) use ssh as > > There's an even simpler way (tho I wouldn't understand why you don't > Security: direct root login not permited (never tried to figure out how Oh, that's simple. You even have a choice between two methods. :-) Either: PermitRootLogin without-password that means you will only be able to login from machines whose public-key (in /root/.ssh/identity.pub) is in the server's /root/.ssh/authorized_keys. NO password will be asked but you won't be able to login from other hosts at all, as root. That's what I use here, because it makes changing to root so simple while OTOH denying root access from outside completely. The other is simply defining categories in the sshd_config. You can define that from 127.0.0.1 root access is allowed but not from 0.0.0.0 (everwhere else). I don't know exactly how this is done however. ;) > to allow root login only via localhost) Minor: Overhead, response. > Compare x app via ssh tunneling and direct :0 access. :0 is much more > responsive. I think I can spare the couple CPU cycles. :-) > > ln -fs /home/achim/.Xauthority /root/.Xauthority > > That way root will always have the "Magic cookie" from X, when achim is > > logged in via X. > Because there can't be 3 /home/{achim,harald,joachim}/.Xauthority links, /usr/local/bin/toroot: --------------------------------------------------------------------------- #!/bin/bash su - root -c "ln -fs /home/$USER/.Xauthority ~/.Xauthority; /bin/bash --login" --------------------------------------------------------------------------- if you still don't want to use ssh. :-) > sig. But for the standard 'this is my box' case you are right. Done on > my Laptop. Thanks for the tip. no problem. ;) -- Jens Benecke > "Dann nimm lieber gleich Pattex!" "Na, ob das was hilft - der Hersteller ist schließlich eine Gesellschaft mit beschränkter Haftung :-)" (-- aus dem Usenet) http://www.hitchhikers.de/ - Die kostenlose Mitfahrzentrale für ganz Europa
Attachment:
pgp7YIyhQoBWE.pgp
Description: PGP signature