Mailinglist Archive: opensuse-security (601 mails)
| < Previous | Next > |
Re: [suse-security] crypt()
- From: Bogdan Zapca <lupe@xxxxxxxxxxxxxxxxx>
- Date: Wed, 16 Aug 2000 20:38:41 +0300 (EEST)
- Message-id: <Pine.LNX.4.21.0008162036550.11781-100000@xxxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
True, but there's something more.
If one hacks a machine on the network(that is so unsecure) a sniffer will
do, as an unsecure network sure uses telnet instead of ssh and so on.
- ---
Bogdan Zapca System Administrator
SC EcoSoft SA Internet Service Provider
1-7 Deva st, Cluj-Napoca, Romania Tel: +40 64 199696
PGP: http://www.itotal.ro/lupe@xxxxxxxxxxxxxxxxxxxxx
http://www.ecosoft.ro
On Wed, 16 Aug 2000, Stefan Suurmeijer wrote:
> On Wed, 16 Aug 2000, Bogdan Zapca wrote:
>
> >
> > Much ado about nothin', i think.
> > Roman is right. If an attacker has access to your encrypted password
> > there's nothing to worry about, you've been hacked.
> > I one sets up a good security policy (tcp wrappers, firewall, user
> > acces) there's nothing to worry about cracked passwords. Using something
> > like shadow works just fine. You could even set up a plain text password
> > file instead of crypt, md5, blowfish and others.
> >
>
> Yes, but it's the difference between one host being hacked and an entire
> network. I don't know about your network of course, but on ours there are
> A LOT of hosts, some of which are even maintained by users (much to my
> horror and disgust ;-)). What about a user who decides he want to use
> Linux and installs a default installation of say RedHat 4.2 (because he
> had that lying around anyway) and makes his (registered Windows
> host) multi boot, so suddenly you have a linux machine on your net that is
> so full of holes you could drive a truck through it. Of course the user
> uses the same password on it that he uses on all other university
> systems. No need for inconvenience eh? ;-). Then I would very much prefer
> that the passwords would be encrypted by an algorithm that takes the
> hacker (who gained root on the new machine in about 5 minutes) some weeks
> to crack, because by that time the user's password will have changed
> again.
> And believe me, these users do exist (although not for long after we
> discover what they did ;-)).
>
> > Please, do add an "IMHO" at the begining of each sentence.
> >
>
> Stefan
>
>
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBOZrRpdPv6ylvTc6pAQFS3wQAj0xZV3RCIg7nW/PzIq1glaoap0qxV3oL
GpDvod1XbiLcKn6z09EaBErZYpzAhWu/2JHZ6Wb+Zf8gw5eUUUZFzZOMHiihsPfG
6H8ShO3iDN2RySTQSMUg68iXhh1YKVyUA0Mbygw7ipehv6MLC5EYv2WoHbepr7Wh
muOml1p8Nug=
=f9xX
-----END PGP SIGNATURE-----
True, but there's something more.
If one hacks a machine on the network(that is so unsecure) a sniffer will
do, as an unsecure network sure uses telnet instead of ssh and so on.
- ---
Bogdan Zapca System Administrator
SC EcoSoft SA Internet Service Provider
1-7 Deva st, Cluj-Napoca, Romania Tel: +40 64 199696
PGP: http://www.itotal.ro/lupe@xxxxxxxxxxxxxxxxxxxxx
http://www.ecosoft.ro
On Wed, 16 Aug 2000, Stefan Suurmeijer wrote:
> On Wed, 16 Aug 2000, Bogdan Zapca wrote:
>
> >
> > Much ado about nothin', i think.
> > Roman is right. If an attacker has access to your encrypted password
> > there's nothing to worry about, you've been hacked.
> > I one sets up a good security policy (tcp wrappers, firewall, user
> > acces) there's nothing to worry about cracked passwords. Using something
> > like shadow works just fine. You could even set up a plain text password
> > file instead of crypt, md5, blowfish and others.
> >
>
> Yes, but it's the difference between one host being hacked and an entire
> network. I don't know about your network of course, but on ours there are
> A LOT of hosts, some of which are even maintained by users (much to my
> horror and disgust ;-)). What about a user who decides he want to use
> Linux and installs a default installation of say RedHat 4.2 (because he
> had that lying around anyway) and makes his (registered Windows
> host) multi boot, so suddenly you have a linux machine on your net that is
> so full of holes you could drive a truck through it. Of course the user
> uses the same password on it that he uses on all other university
> systems. No need for inconvenience eh? ;-). Then I would very much prefer
> that the passwords would be encrypted by an algorithm that takes the
> hacker (who gained root on the new machine in about 5 minutes) some weeks
> to crack, because by that time the user's password will have changed
> again.
> And believe me, these users do exist (although not for long after we
> discover what they did ;-)).
>
> > Please, do add an "IMHO" at the begining of each sentence.
> >
>
> Stefan
>
>
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBOZrRpdPv6ylvTc6pAQFS3wQAj0xZV3RCIg7nW/PzIq1glaoap0qxV3oL
GpDvod1XbiLcKn6z09EaBErZYpzAhWu/2JHZ6Wb+Zf8gw5eUUUZFzZOMHiihsPfG
6H8ShO3iDN2RySTQSMUg68iXhh1YKVyUA0Mbygw7ipehv6MLC5EYv2WoHbepr7Wh
muOml1p8Nug=
=f9xX
-----END PGP SIGNATURE-----
| < Previous | Next > |