Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 19 Jan 2002 19:55:53 +0300
From:      "Andrey A. Chernov" <ache@nagual.pp.ru>
To:        Mark Murray <mark@grondar.za>
Cc:        Kris Kennaway <kris@obsecurity.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/lib/libpam/modules/pam_opie pam_opie.c
Message-ID:  <20020119165553.GF10976@nagual.pp.ru>
In-Reply-To: <200201191629.g0JGTkt22254@grimreaper.grondar.org>
References:  <20020119145947.GF9803@nagual.pp.ru> <200201191629.g0JGTkt22254@grimreaper.grondar.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 19, 2002 at 16:29:46 +0000, Mark Murray wrote:
> If the sysadmin turns on OPIE for a particular facility (like say, ftpd)
> then there MUST be an OPIE challenge for all users (except perhaps root

Why not for root?

> and the anonymous user). That way, the external user gets much less info
> about the internal security arrangements (like who is using OPIE, and who
> may be using (insecure) unix passwords). The less you tell the attacker,
> the better. If that means giving a bogus OPIE challenge for a user who
> has no OPIE enables, then that is GOOD, because it gives the attacker
> something bogus to chew on.
> 
> The fact that this may be open source is irrellevant. With the external
> attacker, the contents of /etc/ are still partially protected.

But from standard CD installation there was the same default range (i.e. 
month) appearse in most of /etc/'s which admins use default rules or
think that this parameter is not important.

Well, this discussion is pointless, because we not discuss a real thing, 
i.e. I see no implementation code for this thing yet. Lets continue with 
some real code in hand.

PLEASE NOTE

That my change is unrelated to that because the old method used gains
nothing even from your point of view, so my change must stay in, at least
until replacement appearse.

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020119165553.GF10976>