Date: Wed, 21 Jun 1995 14:49:03 +0100 From: "Jordan K. Hubbard" <jkh@freebsd.org> To: hackers@freebsd.org Message-ID: <199506211349.OAA19860@whisker.internet-eireann.ie>
next in thread | raw e-mail | index | archive | help
Path: gate2.internet-eireann.ie!news.sprintlink.net!cs.utexas.edu!uwm.edu!vixen.cso.uiuc.edu!news.ecn.bgu.edu!newspump.wustl.edu!ecl.wustl.edu!beru!brian
From: brian@beru.wustl.edu (Brian L Gottlieb)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: PPP login script security
Date: 20 Jun 1995 17:40:02 GMT
Organization: Washington University, St. Louis, MO
Lines: 45
Message-ID: <3s715i$6pm@ecl.wustl.edu>
NNTP-Posting-Host: beru.wustl.edu
X-Newsreader: TIN [version 1.2 PL1]
I recently (over the last week or so, actually) installed FreeBSD on
my system. I got it up and running without a problem, and got X
running after doing a kernel recompile to include my PS/2 mouse.
Anyways, I'm now trying to configure it for ppp dial-on-demand. I've
tried it out and it works great. But I am concerned abut the login
script being readable on the machine. My ISP uses a login and
password authentication before setting up the PPP connection. This
password is the same as my user password (as required by his setup),
and therefore compromises my account if the password appears in the
script.
Given that the /etc/ppp.* files are not encrypted at all, my password,
if it were to appear in those files, would be compromised. Also, the
password for accessing PPP running as a daemon is also in plaintext
in the /etc/ppp.secret file.
One idea I had was to have a password for accessing the daemon, and
I could just connect to it and give it the login script once after
every reboot. Then dial-on-demand would work fine. But the plaintext
password makes that kind of useless.
Has anyone been doing any work towards this? One idea I had was to
have the password in /etc/ppp.secret be encrypted. The login script
would not appear in the configuration file, but would require manual
everytime the ppp program is run. If it is run at boot with -auto,
this should not be a major inconvenience.
While this may still not be 100% secure (what is?), it would be enough
for me to feel secure that my roommate, or a visitor, won't be able to
trivially extract my password.
I started looking into the ppp code last night. If there is no other
work being done for such a thing, I'll look into it further.
brian
--
O O O O Brian Gottlieb
/--/ /--/ /--/ /--/ O~ Research Assistant
o_______/\_/__/\_/__/\_/__/\_/______-\________ Applied Research Lab
\______________/___________/________________/ Washington University
/ / St Louis, MO
( ( O) O) brian@arl.wustl.edu
Life is Short -- Row Hard! http://www.arl.wustl.edu/~brian/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199506211349.OAA19860>