From owner-freebsd-security Mon Dec 16 12:46:07 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id MAA01303 for security-outgoing; Mon, 16 Dec 1996 12:46:07 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id MAA01283; Mon, 16 Dec 1996 12:46:03 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id NAA01965; Mon, 16 Dec 1996 13:42:51 -0700 From: Terry Lambert Message-Id: <199612162042.NAA01965@phaeton.artisoft.com> Subject: Re: vulnerability in new pw suite To: rb@gid.co.uk (Bob Bishop) Date: Mon, 16 Dec 1996 13:42:51 -0700 (MST) Cc: terry@lambert.org, proff@iq.org, security@freebsd.org, hackers@freebsd.org In-Reply-To: from "Bob Bishop" at Dec 16, 96 00:03:01 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Yeah, fine on an isolated machine, but those pesky users also insist on > using the same weak password on lots of different systems. So if some > sleaze does manage to get root on your system and thus access to your > shadow file, five gets you ten the user passwords he can now derive will > work on neighbouring systems. Five gets you ten that he'll just use rlogin instead, and go for root on the new system from the user account, never knowing the user's password (or caring). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.