[j-nsp] Juniper as a route-server

Richard A Steenbergen ras@e-gerbil.net
Thu, 5 Dec 2002 13:18:43 -0500


On Thu, Dec 05, 2002 at 05:36:55PM -0000, Guy Davies wrote:
> That's fine, if you give them enough rope to hang themselves....  IMHO,
> that is a gross security risk.  As I say, that's just my opinion.  I
> think describing it as nonsense is unfair.  You just hold a different
> opinion which I think exposes you to unacceptable risk.  We clearly have
> a different opinion of what is an acceptable risk so let's leave it at
> that :-)

If I didn't want enough rope to hang myself I'd go buy a Linksys.

It shouldn't be that hard, you'd just need telnetd (that being the only 
service without an explicit user and pass in the protocol) to check if a 
login: prompt is necessary or if it can be handed off to a specific 
preconfigured account. Actually I think that functionality is already 
there, passed w/setenv USER, depending on what telnetd code Juniper is 
using.

> Why would you want to change a users privileges while they're connected
> to the CLI?  You either want the user to have access to particular
> functions or you don't!  You have a great deal of flexibility in setting
> classes to which you can assign users, each of those classes having
> different subsets of the total functionality.  It's certainly more
> flexible than the fixed number of "levels" available with other vendors'
> software ;-)

Why not? Why would you want su(1) on a unix system when you could just log 
out and back in with a different user? You've got the functionality for su 
in the shell, why not put it in the cli?

At any rate, just fixing telnetd would temporarily solve the public access 
problem (though not very elegantly) while still providing access to 
another user via ssh. Unfortunately it doesn't look like the telnetd 
they're currently rolling will take the necessary USER via a commandline 
arg, or you could just set it in inetd.conf.

-- 
Richard A Steenbergen <ras@e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)