Date: Tue, 28 Nov 1995 19:20:50 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: jkh@time.cdrom.com (Jordan K. Hubbard) Cc: terry@lambert.org, joerg_wunsch@uriah.heep.sax.de, freebsd-current@FreeBSD.org Subject: Re: schg flag on make world in -CURRENT Message-ID: <199511290220.TAA26615@phaeton.artisoft.com> In-Reply-To: <2748.817605372@time.cdrom.com> from "Jordan K. Hubbard" at Nov 28, 95 04:36:12 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> Yeah, and you don't need a note from your mother either. I would > therefore like to join Terry in demanding that su be disabled until > the requisite scanner support (with authentication) be added directly > into the kernel. Now you are being silly. The reason that the lines aren't secure by default is that you don't want to have the root password working while a line snooper is catching the packets with it in it. Like a line snooper can't catch the packets with the original login, then watch for an "su" to work and catch those packets as well because the line isn't marked "secure". You aren't effectively increasing the security against line snooping by not marking the things secure. If the only protection is against brute-forcing root over the net, then it's no protection at all. This attack is already guarded against by the login attempt timer, attempt count disconnect, and probability function based on the password domain. Speaking of the password domain, don't you crackers just love the way those anal password programs reduce the domain so that when you go cracking, you can limit your search domain? Really helps reduce the effort you need to expend when trying to crack... Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511290220.TAA26615>