[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Admin/root password security hole

Subject: Re: [cobalt-users] Admin/root password security hole
From: jk@xxxxxxxxxxxx (Jens Kristian Søgaard)
Date: Wed Apr 26 08:47:02 2000

Jonas Pasche <jonas@xxxxxxxx> writes:

> ...wasn't really meant to be installed next week. just another "bastard 
> operator" attack after answering some phone calls like "i can't get my 
> e-mail" - "what's the username of your account?" - "my... what?" :-)

Do you own a LART? :-)

> >The best way is to simply enforce good password methods. Don't let
> >users change their password into something "bad".

> i totally agree - that's the best way. but we're talking about cobalt 
> servers, and that means we're not talking about "passwd" (because luckily 
> most customers don't have shell access) but about the gui 

And?

You can enforce good password methods using the GUI. It requires only
a simple change to the underlying code of the GUI. It breaks the
warranty ofcourse - but who hasn't already?

> already know :-). what i meant was that it maybe would be a good idea to 
> share some essentials with the cobalt users list, especially for those 

If you are willing to do a small write up, I'll be glad to come with
my comments and additions, etc. after wards. And if you agree, then it
can be put into the "Question and Answers" homepage I'm making for the
RaQ. 

I'm trying to collect a lot of info on this page, so that you only
have to go one place to find it all. And also because that people
_never_ search the archive before they ask this list...

> users who want more security than an out-of-the-box cobalt server has, but 
> who don't want to read 800 pages just to get some basics. i know that 
> reading those books is important, maybe essential, but IMHO you just can't 

Well, you can get away with a lot of experience and reading
RFCs. That's more or less the way I have done with some issues.

For example the "DNS and BIND" book from O'Reilly. I only bought it
because Jeff Lassman argumented so loudly for it :-) But when I read
it, I found no new information I didn't already have. 

The process of me learning DNS and BIND has taken years. If I just
read the book, it would take less than a week. Books are smart!

But reading books are ofcourse not everything...

-- 
Jens Kristian Søgaard,
jk@xxxxxxxxxxxx -- http://www.jksoegaard.dk/
Søger du noget? -- http://www.google.com/
echo|perl -ple'$_+=4E-6*!int rand()**2+rand()**2while$i++-1E6'

References:
- RE: [cobalt-users] Admin/root password security hole
  - From: Jonas Pasche
- Re: [cobalt-users] Admin/root password security hole
  - From: Dom Latter
- Re: [cobalt-users] Admin/root password security hole
  - From: Jonas Pasche
- Re: [cobalt-users] Admin/root password security hole
  - From: Jonas Pasche

Prev by Date: Re: [cobalt-users] Two Raq3i's (Mirror)
Next by Date: [cobalt-users] SSH Question
Previous by thread: Re: [cobalt-users] Admin/root password security hole
Next by thread: Re: [cobalt-users] Admin/root password security hole

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index