Date: Thu, 21 Nov 2002 22:56:05 -0800 (PST) From: Jeff Jirsa <jeff@unixconsults.com> To: Kirk Strauser <kirk@strauser.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: enabling finger - why not? Message-ID: <20021121225056.E5833-100000@boris.st.hmc.edu> In-Reply-To: <87el9erzjx.fsf@pooh.lan.honeypot.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 21 Nov 2002, Kirk Strauser wrote:
>
> At 2002-11-22T03:18:29Z, Jeff Jirsa <jeff@unixconsults.com> writes:
>
> > Finger is relatively safe. Most of the arguments for not allowing it
> > involve privacy rather than security (I don't really like people knowing
> > when I log in and out, if they need to bother me, there are better ways to
> > track me down).
>
> Well, privacy and security are almost directly related in this case. finger
> gives a nice route for would-be attackers to get a list of usernames from
> the system in that it's a pretty quick way to do a dictionary attack of
> names against a server.
Yes, but that can be disabled with the -s switch:
-s Enable secure mode. Queries without a user name are rejected and
forwarding of queries to other remote hosts is denied.
He also said there were used on the box, and asked what THEY might do ...
any user can always `cat /etc/passwd`, so `finger @host` doesn't add much
more risk than that.
- Jeff
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021121225056.E5833-100000>