*BSD News Article 10795


Return to BSD News archive

Received: by minnie.vk1xwt.ampr.org with NNTP
	id AA699 ; Sat, 06 Feb 93 22:01:31 EST
Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!clark!serval!news.u.washington.edu!usenet.coe.montana.edu!saimiri.primate.wisc.edu!sdd.hp.com!swrinde!cs.utexas.edu!geraldo.cc.utexas.edu!geraldo.cc.utexas.edu!usenet
From: vax@ccwf.cc.utexas.edu (Vax)
Newsgroups: comp.unix.bsd
Subject: Re: *Big* security leak for users w/o crypt.
Date: 5 Feb 1993 07:31:51 GMT
Organization: The University of Texas at Austin, Austin TX
Lines: 19
Message-ID: <1kt557INN2mp@geraldo.cc.utexas.edu>
References: <1kmcqrINN4l@encap.hanse.de> <1kshqiINN3gv@stimpy.css.itd.umich.edu>
NNTP-Posting-Host: sylvester.cc.utexas.edu

In article <1kshqiINN3gv@stimpy.css.itd.umich.edu> pauls@css.itd.umich.edu (Paul Southworth) writes:
>In article <1kmcqrINN4l@encap.hanse.de> maverick@encap.hanse.de (Jan-Oliver Neumann) writes:
>
>Maybe this is an ignorant comment, but since the * is the password, and
>*with* DES these accounts can be accessed via an su by a process like
>cron running with uid 0 (thereby bypassing the need for a password with
>the su) one could just as easily change the password to something other
>than *, right?
>
Hmm.  Or you could get a crypt that doesn't use DES, like I think Coherent
uses a rotor-machine algorithm.  They are fairly secure, even though the
Enigma was broken during WWII it should still serve against casual intruders.
Or make something similar.  It shouldn't be too hard.  It's not like you
will keep out a guru or cryptographer anyway.  Depends on how much security
you need.

-- 
Protect our endangered bandwidth - reply by email.  NO BIG SIGS!
VaX#n8 vax@ccwf.cc.utexas.edu - finger for more info if you even care.