Rainer -- ...and then rhoerbe@netpromote.co.at said... % >% - by default, no shell user should be allowed to log in to % ftp/telnet/pop % >% using the same password or at all % > % >Here's what throws me. I understand you to say that the default should % >be for a console-only system. Is that what you meant?? I also don't % >know what you mean by "same password"... % % A very common setup for a system with remote maintenance is to use SSH for Right... % shell access. However, this is insecure, if you keep using ftp and pop for % the same account with the same password. My setup is, to use separate Ahhh... I gotcha. % accounts for different services. Quite inconvenient, unless you configure Not a bad way to go. I just use sftp or scp and IMAP-SSL if I do any remote mail work at all :-) % different password-dbs for ftp/pop/samba. Again, this is considerably more % effort, and I doubt that many admins do this. Yeah. That would be some work, and I'd hate to have to keep changing my sent-through-clear passwords every other day! % Obviously, local access should not be limited. ... or even remote access to the box (through a secure channel, of course), which is how I read your message the first time :-) % % Rainer % % % --------------------------------------------------------------------- % To unsubscribe, e-mail: suse-security-unsubscribe@suse.com % For additional commands, e-mail: suse-security-help@suse.com :-D -- David T-G * It's easier to fight for one's principles (play) davidtg@bigfoot.com * than to live up to them. -- fortune cookie (work) davidtgwork@bigfoot.com http://www.bigfoot.com/~davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! The "new millennium" starts at the beginning of 2001. There was no year 0. Note: If bigfoot.com gives you fits, try sector13.org in its place. *sigh*