From owner-freebsd-security Thu Dec 4 00:13:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA01780 for security-outgoing; Thu, 4 Dec 1997 00:13:29 -0800 (PST) (envelope-from owner-freebsd-security) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA01769 for ; Thu, 4 Dec 1997 00:13:23 -0800 (PST) (envelope-from adam@homeport.org) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id DAA19509; Thu, 4 Dec 1997 03:10:04 -0500 (EST) From: Adam Shostack Message-Id: <199712040810.DAA19509@homeport.org> Subject: Re: Possible problem with ftpd 6.00 In-Reply-To: from Robert Watson at "Dec 2, 97 10:26:31 am" To: robert@cyrus.watson.org Date: Thu, 4 Dec 1997 03:10:04 -0500 (EST) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk If you design systems such that people need to RTFM, your systems will fail. The FTP daemon should be re-written so that it doesn't ask for a password when its offering anonymous access. (As in http). Adam Robert Watson wrote: | The notice clearly states that one should send ones email address as the | password. One of the caveats of having network capability is that users | must know when (and when not) to give their passwords. If you cannot | trust them to not enter their password when connecting to a remote system | using FTP, you really should not be even allowing them near a UNIX account | that has network access of any kind. Education is more important here, I | think, than making changes that may break existing programs. | | Robert N Watson | | Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ | Network Administrator, SafePort Network Services http://www.safeport.com/ | robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/ | | -- "It is seldom that liberty of any kind is lost all at once." -Hume