Very Computer

Hello,

I have a problem administrating Linux-PCs via the network:

        Everytime I login as 'root' on a Linux PC (Slackware 2.2,
        kernel 1.2.13, shared libs 4.6.27), I have to enter a password
        via the net - this is not acceptable!
        I did not find a way for 'root' to bypass it ($HOME/.rhosts,
        /etc/hosts.equiv don't work!).
        It would be very helpfull to fix this problem because in our
        Linux/Sun-OS network centralized administrator machines are installed,
        from which 'root' can login on any other workstation without password
        input - just Linux currently doesn't supports it!

Thank's!

PS: Address is wrong - I know, thank you!
    I will fix it, when I have the time!!!

Quote:

>         Everytime I login as 'root' on a Linux PC (Slackware 2.2,
>         kernel 1.2.13, shared libs 4.6.27), I have to enter a password
>         via the net - this is not acceptable!
>         I did not find a way for 'root' to bypass it ($HOME/.rhosts,
>         /etc/hosts.equiv don't work!).
>         It would be very helpfull to fix this problem because in our
>         Linux/Sun-OS network centralized administrator machines are installed,
>         from which 'root' can login on any other workstation without password
>         input - just Linux currently doesn't supports it!

Let me see if I have this right. Its better to be able to log in as root
without using a password than it is to send the password out over then
network? I really don't think that's a great idea. If I sen the password
out someone will have to sniff the trafic and put the password back
together. OK, that's really not that hard. But in the other case I just
pretend to be the administration machine and BANG! I'm root everywhere.
There's got to be a better way.

--
Jude Giampaolo              Case Western Reserve University
Electrical Engineering      'There's not much to see actually,
and Applied Physics         we're inside a Chinese dragon...'

WWW==>    http://prozac.student.cwru.edu/jude/JudeHome.html

Quote:>>         Everytime I login as 'root' on a Linux PC (Slackware 2.2,
>>         kernel 1.2.13, shared libs 4.6.27), I have to enter a password
>>         via the net - this is not acceptable!

>Let me see if I have this right. Its better to be able to log in as root
>without using a password than it is to send the password out over then
>network? I really don't think that's a great idea. If I sen the password
>out someone will have to sniff the trafic and put the password back
>together. OK, that's really not that hard. But in the other case I just
>pretend to be the administration machine and BANG! I'm root everywhere.
>There's got to be a better way.

I do not understand your remark. You can not pretend to be what you are not.
The question implies that you are root AND root of a specific machine, that
is allowed to connect as root on another machine. Obviously, the characteristics
of that machine is known. I do not believe it is possible to simulate the
allowed machine ( IP address and the rest ) without it being immediately detected.
Any idea around... ?

=>>         Everytime I login as 'root' on a Linux PC (Slackware 2.2,
=>>         kernel 1.2.13, shared libs 4.6.27), I have to enter a password
=>>         via the net - this is not acceptable!

=>Let me see if I have this right. Its better to be able to log in as root
=>without using a password than it is to send the password out over then
=>network? I really don't think that's a great idea.  [ ... ]

=I do not understand your remark. You can not pretend to be what you are not.

In the above case, one certainly can.

=The question implies that you are root AND root of a specific machine, that
=is allowed to connect as root on another machine. Obviously, the characteristics
=of that machine is known. I do not believe it is possible to simulate the
=allowed machine ( IP address and the rest ) without it being immediately detected.

You are incorrect. This is called "spoofing" and is a serious problem.
I would never allow a network I was responsible for to permit a root
priviledge login without the entry of a password unless the network was
completely physically secure (and even then I'd worry about it). With
currently available software, it's possible to change the hardware address
associated with a computer. Altering the configuration to use a different
IP address is trivial. Attach a rogue system to a network, trap the
hardware address of the system you want to spoof, configure the rogue
to match, and you're in as root on the target system in seconds.

And this type of thing can go on for quite a while undetected. It only
takes a minute to set up a suid shell, then break the spoofed connection
and go to work on the target, doing whatever infantile damage the
intruder wishes.

=Any idea around... ?

Just take the root passwords off your systems. That way, you'll be able
to save those few seconds when you log in. You can remember them when
you spend hours cleaning up the mess.

If Linux doesn't allow what you're trying to do, I consider that to be
a mark in Linuxs' favor.

Gary

--

   The Chairman of the Board and the CFO speak for SCI. I'm neither.
"Quit while you're ahead. All the best gamblers do."  Baltasar Gracian