Date: Thu, 3 Dec 1998 05:51:22 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Dima Ruban <dima@best.net>, guido@gvr.org, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/etc master.passwd Message-ID: <19981203055122.A41883@nagual.pp.ru> In-Reply-To: <199812030244.SAA20794@apollo.backplane.com>; from dillon@apollo.backplane.com on Wed, Dec 02, 1998 at 06:44:17PM -0800 References: <199812022135.NAA02023@burka.rdy.com> <199812022155.NAA19166@apollo.backplane.com> <19981203021907.A79875@nagual.pp.ru> <199812030244.SAA20794@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 02, 1998 at 06:44:17PM -0800, Matthew Dillon wrote: > I don't see how '*'d-out accounts can possibly have a major effect > on security. If your machine gets broken into and you aren't There are another authorisation schemes can be used besides passwd, f.e. pop uses APOP with its own database. > checking your entire hierarchy, you've got a problem anyway. Making > the operator account less easily subverted when it already defaults > to a '*'d-out password is not going to improve security in any > measureable way. The hacker could just as easily add innocuous > rhosts, ssh (, etc...) entries to other system entries or even > inactive user accounts. Replacing directory wich have non-zero chances to be created achieve one number less places to check after attack. Moreover strange name of old directory can lead non-expirienced sysadmins to create /usr/guest hierarchy which just add junk to many systems. -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/ MTH/SH/HE S-- W-- N+ PEC>+ D A a++ C G>+ QH+(++) 666+>++ Y To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981203055122.A41883>