From owner-cvs-all  Wed Dec  2 18:51:48 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA14834
          for cvs-all-outgoing; Wed, 2 Dec 1998 18:51:48 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from nagual.pp.ru (lsd.relcom.eu.net [193.125.27.73])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA14827;
          Wed, 2 Dec 1998 18:51:45 -0800 (PST)
          (envelope-from ache@nagual.pp.ru)
Received: (from ache@localhost)
	by nagual.pp.ru (8.9.1/8.9.1) id FAA43365;
	Thu, 3 Dec 1998 05:51:23 +0300 (MSK)
	(envelope-from ache)
Message-ID: <19981203055122.A41883@nagual.pp.ru>
Date: Thu, 3 Dec 1998 05:51:22 +0300
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: Dima Ruban <dima@best.net>, guido@gvr.org, cvs-committers@FreeBSD.ORG,
        cvs-all@FreeBSD.ORG
Subject: Re: cvs commit: src/etc master.passwd
Mail-Followup-To: Matthew Dillon <dillon@apollo.backplane.com>,
	Dima Ruban <dima@best.net>, guido@gvr.org,
	cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
References: <199812022135.NAA02023@burka.rdy.com> <199812022155.NAA19166@apollo.backplane.com> <19981203021907.A79875@nagual.pp.ru> <199812030244.SAA20794@apollo.backplane.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199812030244.SAA20794@apollo.backplane.com>; from dillon@apollo.backplane.com on Wed, Dec 02, 1998 at 06:44:17PM -0800
Organization: Biomechanoid
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

On Wed, Dec 02, 1998 at 06:44:17PM -0800, Matthew Dillon wrote:
>     I don't see how '*'d-out accounts can possibly have a major effect 
>     on security.  If your machine gets broken into and you aren't 

There are another authorisation schemes can be used besides passwd, f.e. 
pop uses APOP with its own database.

>     checking your entire hierarchy, you've got a problem anyway.  Making
>     the operator account less easily subverted when it already defaults
>     to a '*'d-out password is not going to improve security in any
>     measureable way.  The hacker could just as easily add innocuous
>     rhosts, ssh (, etc...) entries to other system entries or even 
>     inactive user accounts.

Replacing directory wich have non-zero chances to be created achieve one
number less places to check after attack. Moreover strange name of old
directory can lead non-expirienced sysadmins to create /usr/guest
hierarchy which just add junk to many systems.

-- 
Andrey A. Chernov
http://www.nagual.pp.ru/~ache/
MTH/SH/HE S-- W-- N+ PEC>+ D A a++ C G>+ QH+(++) 666+>++ Y

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message