Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP id AA531 ; Thu, 04 Feb 93 16:00:34 EST Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!yale.edu!ira.uka.de!Germany.EU.net!news.Hamburg.Germany.EU.net!abqhh!encap.hanse.de!not-for-mail From: maverick@encap.hanse.de (Jan-Oliver Neumann) Newsgroups: comp.unix.bsd Subject: *Big* security leak for users w/o crypt. Date: 2 Feb 1993 18:59:55 +0100 Organization: Hanse Networking e.V., Hamburg, Germany. Lines: 20 Message-ID: <1kmcqrINN4l@encap.hanse.de> NNTP-Posting-Host: encap.hanse.de Hello. Although a system w/o a working version of crypt() (it was excluded from the 386BSD Distributions because of U.S. export regulations) is already insecure, anyone can now login as "bin" or "daemon". The passwords of these accounts contain a "*" that is not used by the DES algorithm. So nobody can login as "bin" or "daemon" if the DES encryption is included. But for a system w/o crypt(), anybody can enter "*" as the password and will be logged in. So, I strongly recommend that you don't but a 386BSD w/o crypt() on a dial-up line. (Actually, also without this leak you shouldn't do that, either). Greetings, Jan PS: I'm using pcvt, but I don't think the keyboard driver has any impact on this. -- Jan-Oliver Neumann <maverick@encap.hanse.de> Gegen Rassismus und Extremismus ------------------- Against racism and extremism XXXXXXXXXXXXXXXXXXXXX Kopiere mich in deine Signature XXXXXXXXXXXXXXXXXXXXXXXXXX