TOPIC Mac OS X Setup Assistant network configuration includes a "Remote Login" panel that configures the system to "allow network access", but it has no "Tell Me More" button to explain why you might or might not wish to do this. DISCUSSION Remote Login in the Mach/BSD context means an ability to open a command line session from another computer on the network, using Telnet or other communications software. There are pros and cons to permitting this, or to disallowing it. Security and administrative capability are the contesting issues here. Security is obviously stronger if the system doesn't even support remote command line connections, even though password access still applies. Environments where it might be considered particularly risky to allow remote logins would include systems connected directly to the Internet without a firewall; systems with critical financial, commercial, military or other confidential data; systems located in university or non-elementary school environments, or even in highly competitive business environments. An available telnet connection, along with a non-root user account that is a member of group "wheel", enable detailed system administration and monitoring to be done remotely. This can be a huge asset, especially in the relatively rare event that the system's GUI interface ("Workspace Manager") should freeze, or keyboard and mouse become unresponsive. In such situations, the server may well be running and behaving in a normal manner as far as most users would be concerned, but without the remote login and with no console access, it can be pretty awkward shutting down the system or restarting it. Also, a telnet session can eliminate much of the need for console access; this is very handy if the computer is located in a remote or difficult location. To allow remote logins doesn't inherently invite disaster. There are two layers of protection inherently involved: the normal username-password security, and the fact that on Mac OS X, the root (administrative) account doesn't directly allow remote logins; one must first telnet in with a less-privileged user account, and, if that user account is made a member of group "wheel", that connection will be allowed to "su" to the root account once connected. One must have the root password to do this, of course. Almost any operation not involving graphics can be performed with a telnet command-line connection; in particular, text-based programs and utilities can be run; data drives can be dismounted and checked; files can be edited, copied, deleted, duplicated, or printed; best of all, though, the system can be shut down or restarted in a proper, orderly manner. Thus, it is an important decision for the administrator to decide whether to forgo these capabilities in the interests of security, or not. For further information, read the man pages on su and telnet. |
||||||
| Document Information | |
| Product Area: | Mac OS System Software |
| Category: | Mac OS X Server |
| Sub Category: | General Topics |
Copyright © 2000 Apple Computer, Inc. All rights reserved.