From owner-freebsd-questions Thu Nov 21 22:56:12 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCD4D37B401 for ; Thu, 21 Nov 2002 22:56:11 -0800 (PST) Received: from boris.st.hmc.edu (boris.ST.HMC.Edu [134.173.63.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4658E43E8A for ; Thu, 21 Nov 2002 22:56:11 -0800 (PST) (envelope-from jeff@unixconsults.com) Received: from boris.st.hmc.edu (localhost [127.0.0.1]) by boris.st.hmc.edu (8.12.3/8.12.3) with ESMTP id gAM6u5KS005860; Thu, 21 Nov 2002 22:56:05 -0800 (PST) Received: from localhost (jeff@localhost) by boris.st.hmc.edu (8.12.3/8.12.3/Submit) with ESMTP id gAM6u5Ce005857; Thu, 21 Nov 2002 22:56:05 -0800 (PST) (envelope-from jeff@unixconsults.com) X-Authentication-Warning: boris.st.hmc.edu: jeff owned process doing -bs Date: Thu, 21 Nov 2002 22:56:05 -0800 (PST) From: Jeff Jirsa X-X-Sender: jeff@boris.st.hmc.edu To: Kirk Strauser Cc: freebsd-questions@FreeBSD.ORG Subject: Re: enabling finger - why not? In-Reply-To: <87el9erzjx.fsf@pooh.lan.honeypot.net> Message-ID: <20021121225056.E5833-100000@boris.st.hmc.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by amavisd-milter on boris.st.hmc.edu Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 21 Nov 2002, Kirk Strauser wrote: > > At 2002-11-22T03:18:29Z, Jeff Jirsa writes: > > > Finger is relatively safe. Most of the arguments for not allowing it > > involve privacy rather than security (I don't really like people knowing > > when I log in and out, if they need to bother me, there are better ways to > > track me down). > > Well, privacy and security are almost directly related in this case. finger > gives a nice route for would-be attackers to get a list of usernames from > the system in that it's a pretty quick way to do a dictionary attack of > names against a server. Yes, but that can be disabled with the -s switch: -s Enable secure mode. Queries without a user name are rejected and forwarding of queries to other remote hosts is denied. He also said there were used on the box, and asked what THEY might do ... any user can always `cat /etc/passwd`, so `finger @host` doesn't add much more risk than that. - Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message