From owner-freebsd-current Tue Nov 28 18:26:22 1995 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id SAA00980 for current-outgoing; Tue, 28 Nov 1995 18:26:22 -0800 Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id SAA00973 for ; Tue, 28 Nov 1995 18:26:15 -0800 Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id TAA26615; Tue, 28 Nov 1995 19:20:50 -0700 From: Terry Lambert Message-Id: <199511290220.TAA26615@phaeton.artisoft.com> Subject: Re: schg flag on make world in -CURRENT To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Tue, 28 Nov 1995 19:20:50 -0700 (MST) Cc: terry@lambert.org, joerg_wunsch@uriah.heep.sax.de, freebsd-current@FreeBSD.org In-Reply-To: <2748.817605372@time.cdrom.com> from "Jordan K. Hubbard" at Nov 28, 95 04:36:12 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1348 Sender: owner-current@FreeBSD.org Precedence: bulk > Yeah, and you don't need a note from your mother either. I would > therefore like to join Terry in demanding that su be disabled until > the requisite scanner support (with authentication) be added directly > into the kernel. Now you are being silly. The reason that the lines aren't secure by default is that you don't want to have the root password working while a line snooper is catching the packets with it in it. Like a line snooper can't catch the packets with the original login, then watch for an "su" to work and catch those packets as well because the line isn't marked "secure". You aren't effectively increasing the security against line snooping by not marking the things secure. If the only protection is against brute-forcing root over the net, then it's no protection at all. This attack is already guarded against by the login attempt timer, attempt count disconnect, and probability function based on the password domain. Speaking of the password domain, don't you crackers just love the way those anal password programs reduce the domain so that when you go cracking, you can limit your search domain? Really helps reduce the effort you need to expend when trying to crack... Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.