rick at linuxmafia.com
Thu Jan 17 19:06:28 GMT 2002
Oh, I forgot to mention:
> 3. I populate /etc/insecure/passwd with the requisite lines for
> my local UIDs, using hashes of really _bad_ passwords (like
> 4. Notify users that they can now POP their mail and ftp files
> in and out of their ~/ftp directories using their usual
> usernames but password (e.g.) "password".
> This allows people to use two of the three popular plaintext-
> authentication protocols with minimal disruption and without
> compromising system security.
The point of using really _bad_ passwords in /etc/insecure/passwd is as
1. Users gravitate towards simplicity.
2. It only takes one dumb-ass shell-user action to give the
bad guys shell access.
3. Therefore, if your users _can_ use /usr/bin/passwd to make
their ssh passwords and ftp/pop3 ones the same, at least one
dumb-ass _will_ do so, shooting your security initiative in the
But the system cracklibs will prevent even the dumbasses from doing
that, because they'll be prevented from specifying "password" or any
other really bad password for the shell password. Thus, the
distinctness of the user's two passwords will be automatically ensured.
"Is it not the beauty of an asynchronous form of discussion that one can go and
make cups of tea, floss the cat, fluff the geraniums, open the kitchen window
and scream out it with operatic force, volume, and decorum, and then return to
the vexed glowing letters calmer of mind and soul?" -- The Cube, forum3000.org
More information about the ILUG