On Fri, Aug 02, 2002 at 02:43:15PM -0500, Dooley, Ryan wrote: > Package: base install > > Version: 3.0 (woody) > > > > A recent security audit turned up the ability to login on a fresh > install with the accounts bin, daemon, and games from a telnet session > with out a password. > > > > A fix seemed to be making sure that the password in /etc/passwd (or > /etc/shadow if configured) is set to "!" instead of "*". Another issue > might have been the existence of "nullok" in /etc/pam.d/login (and other > files). > > > > I've not been able to reproduce this on the only other Debian system I > have access to, however, it is still Debian 2.2. > > > > I am using Debian GNU/Linux 3.0, kernel 2.4.18-686 and libc-2.2.5 > > > > Ryan >
By default on a new install, telnet is commented from starting up in inetd.conf. telnetd itself is not installed by default. I also was not able to verify your assertion after installing telnetd and enabling it. -- *------v--------- Installing Debian GNU/Linux 3.0 --------v------* | <http://www.debian.org/releases/stable/installmanual> | | debian-imac: <http://debian-imac.sourceforge.net> | | Chris Tillman [EMAIL PROTECTED] | | To Have, Give All to All (ACIM) | *----------------------------------------------------------------* -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
