Re: [cobalt-security] SFTP on Raq4 as Root?

[John Bailey <support@xxxxxxxxxxxxxxxxxxxxxx>]

Hi again all,

> right but the cobalt default is for admin/root to use the same passwd....
> and if someone gets/cracks/whatever the admin pw then that account provides
> no added security

That's pretty easily changed, though.

> > > Aparently you have a problem determining who and when your logins
> > > happen.  I
> > That's not quite true.
> no really I do :)

Actually, I wasn't contesting that, I was contesting the "Aparently
(sic) you have a problem determining who and when your logins happen".

> they would own every account on the box if they wanted...  root access would
> only mean that they wouldn't have to su....  They would get all the passwd's
> not just root's

Well, I did concede that it wasn't a prefect system, but it would force
them to crack more than 1 password, which if the password is well chosenm
would take a reasonable amount of efforf for Joe Cracker.  I tend to be of
the oppinion that no security will ever be perfect.  There's always going
to be a new bug, exploit or even something that's been overlooked in the
setup.  I do, however, believe in making things difficult for a potential
attacker.  Thank god for shadow passwords.

> ahh  these are cobalt servers.... they don't have lilo.... :)

True enough, it was an illustration of a point.

> nope no wap server....  just a hole I took advantage of...

Well, good for you.  For anyone interested in telnet over WAP, take a look
at

http://www.exolution.de/wapsh/index.html

It's a little clunky, but it works.

> oh and if it stops it will restart, all by itself.... :)

Again, that wasn't quite the point.  Stuff like cron or any long-running
process which you use to reset bits of the system can also be disabled.

> yeppers...  well it is something that everybody can decide on there own....
> thats why it's an option....

Wouldn't it be a boring world if we were all the same ? =)

Regards,

John.