Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 28 Nov 1995 19:20:50 -0700 (MST)
From:      Terry Lambert <terry@lambert.org>
To:        jkh@time.cdrom.com (Jordan K. Hubbard)
Cc:        terry@lambert.org, joerg_wunsch@uriah.heep.sax.de, freebsd-current@FreeBSD.org
Subject:   Re: schg flag on make world in -CURRENT
Message-ID:  <199511290220.TAA26615@phaeton.artisoft.com>
In-Reply-To: <2748.817605372@time.cdrom.com> from "Jordan K. Hubbard" at Nov 28, 95 04:36:12 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> Yeah, and you don't need a note from your mother either.  I would
> therefore like to join Terry in demanding that su be disabled until
> the requisite scanner support (with authentication) be added directly
> into the kernel.

Now you are being silly.

The reason that the lines aren't secure by default is that you don't
want to have the root password working while a line snooper is catching
the packets with it in it.

Like a line snooper can't catch the packets with the original login,
then watch for an "su" to work and catch those packets as well because
the line isn't marked "secure".

You aren't effectively increasing the security against line snooping
by not marking the things secure.


If the only protection is against brute-forcing root over the net, then
it's no protection at all.  This attack is already guarded against by
the login attempt timer, attempt count disconnect, and probability
function based on the password domain.


Speaking of the password domain, don't you crackers just love the way
those anal password programs reduce the domain so that when you go
cracking, you can limit your search domain?  Really helps reduce the
effort you need to expend when trying to crack...


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511290220.TAA26615>