How can I enable root to login via telnet?
Dec 15th, 2005 14:16
DarkFlib, josh oshiro, K Mohan, Jason Ross, Richard Heyes,
To add to the earlier responses :
Just add entries to the end of /etc/securetty file :
I mistakenly entered 'pts0' etc. It should be 'pts/0' . There was no
need to restart in ReadHat 7.x. I could telnet as root both from WinNT
and another Linux host.
Using SSH is highly recommended as telnet as root is a definite secuirty
You really shouldn't do this, you should login as another user and then
use 'su' to access the root account.
( Actually, you should disable telnet altogether and use ssh instead =)
The reasons for that are as follows:
1) Telnet is not an encrypted protocol. This means that any network
you go through on your way to your system has the potential to sniff
the packets you are sending, and gain the data you are transmitting,
including your root password.
( Note that using su doesn't solve this problem.)
2) Instead of having to hack a user account first and THEN root, an
intruder can go straight for the root account, so you have pretty much
cut the time for a brute-force attack in half.
But, putting all security concerns aside, if you edit /etc/securetty
and add pts[0-f] ( formerly ttyp[0-f] ) you should be able to login as
root via telnet. ( Unsure if you need to reboot or not ).
This file controls which terminals root can login from, and ptsx are
the ports used when telnetting into linux. ( On Redhat 6.2 anyway )
Alternatively, you can edit the /etc/pam.d/rlogin file and comment out
auth required /lib/security/pam_securetty.so
which will disable the use of the securetty file altogether.
( Very much _not_ recommended, but I thought I should mention it )
Hope that helps.
These folks are right, you should disable telnet and use ssh only.
Beyond that you should set ssh to refuse a root login. Login as a
normal user and su to root.
In addition, if you choose to use ssh then be aware that there are many
people breaking into systems by dictionary attacks. Ideally you would
change the default port for ssh to something high that doesn't collide
with anything else on your system like 2222 or something. Also disabling
password based authentication completely and using key based
authentication instead will remove the chance of a dictionary attack