Re: ftp not allowed as 'root' 5.0.6 new install

From: scooter (sullmann_at_telespectrum.com)
Date: 01/25/05 

Date: 25 Jan 2005 08:26:43 -0800

Lawrence Garvin wrote:
> I could offer two possible reasons why nobody's encountered this
issue
> before...
>
> (1) running ftpd on a "low" or "traditional" security machine
> (2) never changing the root password since installation
>
> Since both of these would have to occur to encounter the error, and
the
> combination of the two is probably on the opposite end of the
spectrum for
> "security best practices", I imagine the liklihood of being
encountered is
> pretty low.
>
> It's also probably why it slipped past testing and ended up in the
Release
> Notes as an 'issue'.
>
> Best practices:
> (1) if you're running ftpd... you really should consider security
higher
> than "traditional".
> (2) if you're running ftpd... you definitely need to protect the root

> account by regularly changing the password.
> (3) if you're running ftpd... you really should disable the root
account
> from access.
>
> ..... unless, of course, you're running the server in an isolated
network
> where a very limited number of people could get access.
>
> Then, you're just one of the few that might get hit by this bug.
>
> Interestingly, it's my suspicion that most systems in that scenario
did not
> meet the criteria for the second prereq -- "root password was set
during
> system installation to a string longer than 8 characters" -- which
may well
> be the one reason these systems didn't suffer. I'm guessing most such

> systems have pretty simple root passwords, if any at all.
>
> Anyway.. glad I could help. Was purely luck that I ran across that
note. I
> was reviewing the Release Notes for another project and had just
finished
> scanning through the newsgroup looking for notes on v5.0.6 and
happened to
> read your message.
>
> "scooter" <sullmann@telespectrum.com> wrote in message
> news:1106663301.036154.279980@f14g2000cwb.googlegroups.com...
> >
> > Lawrence Garvin wrote:
> >> Scott.... just found this note in the Release Notes for the 506A
> > supplement.
> >> Maybe this is the cause?
> >>
> >> ftpd root password recognition
> >> The updated ftpd(ADMN) in Release Supplement 506A differs from the
> > previous
> >> release in its handling of certain long passwords. The root
password
> > will
> >> not be recognized by ftpd if all the following conditions are met:
> >>
> >>
> >> a.. a system was installed with the ``low'' or ``traditional''
> > security
> >> defaults,
> >>
> >> b.. its root password was set during system installation to a
> > string
> >> longer than 8 characters, and
> >>
> >> c.. the root password has never been changed since installation.
> >> To correct this, run passwd(C) as root and enter the same password
> > (or a new
> >> one). This rewrites the password entry in a form that is
> > understandable to
> >> the new ftpd.
> >>
> >> _________________________
> >> Lawrence Garvin, M.S., MCP
> >> Principal/CTO
> >> Onsite Technology Solutions
> >> http://www.onsitechsolutions.com
> >> ICQ#: 38720625
> >> MSN Messenger: lawrencegarvin@msn.com
> >> _________________________
> >>
> >>
> >> "scooter" <sullmann@telespectrum.com> wrote in message
> >> news:1106578829.115843.99930@c13g2000cwb.googlegroups.com...
> >> >I have just installed 5.0.6 with all patches applied.
> >> >
> >> > When testing ftp connection, I get login failed when trying to
> > connect
> >> > as 'root'...??
> >> >
> >> > telnet works fine...just not ftp.......
> >> >
> >> > I have checked the /etc/ftpusers file and it has no entries in
it.
> >> >
> >> > I have looked in inetd.conf file, and it shows for ftp:
> >> >
> >> > ftp stream tcp nowait root /etc/ftpd ftpd
> >> >
> >> >
> >> > Security is set to 'traditional'
> >> >
> >> > What am I missing here?
> >> > Scott Ullmann
> >> > Telespectrum
> >> > sullmann@telespectrum.com
> >> >
> >
> > Lawrence,
> >
> > Absolutely genious man. That's exactly what it was.
> > I re-set the password for root (but didn't change the password)
> > and it worked right away.
> >
> > I'm really surprised no one has ran across this yet (at least I
have
> > seen NO posts to indicate that anyone has)
> > Thanks a ton for your help. I really appreciate it.
> >
> > Scott
> >

I started thinking mostly about the password length after I fixed this.
I agree with part of your assessment that it's kinda odd that seemingly
most people don't use longer passwords. I have always done that just
as a small layer of security....

The rest of your post is duly noted....but this server is not public
facing and people with access to are very limited.
I want to thank you again for finding that.

Scott

Quantcast