Re: [cobalt-users] CGI Script Question

[Jeff Lasman <jblists@xxxxxxxxxxxxx>]

Zeffie wrote:

> To me this is a security problem.  If I know the usernames on a unix box
> then I'm  half way in.  All I need to do is guess the passwd or automate it
> to try lists of passwords. To me there is nothing in a username besides 3
> things to write down.  The site, username, and passwd.  Each domain can have
> it's own alias for a user even if bob's username is 12jj532 he can still get
> mail addressed to bob@xxxxxxxxxxx

I'm glad to see that we agree, Zeffie (and please refrain from
complaining about my "I agree" post until you finish reading <smile>).

I run several small ISPs and offer email services for others.  Most ISPs
want their user login-names to be the same as their dialup-login-names
and their email-address.  Most ISP users want their personal web-space
to be "http://users.isp.com/~username/"; rather than
"http://users.isp.com/~12jj532.

So for these ISPs we run email on what we consider an "insecure" box on
which we store no sensitive information.  Yes, the mail can get
compromised, but nothing else in our system.  It's even on it's own
subnet on a relatively slow connection, to make it hard for it to be
used to create a lot of damage.

If you've got a better suggestion, though, I'd like to hear it...

Something like implementing a POP3 server that reads a file besides
/etc/passwd, and an easy way to allow websites such as (forgetting the
"~" is probably okay in the long run) "http://users.isp.com/username/";
with a subdirectory system where "username" is the subdirectory of the
"web" directory and is the default login directory (via ftp daemon, I'd
guess) for user 12jj532.

Done anything like that, anyone?

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
nobaloney.net
P. O. Box 52672
Riverside, CA  92517
voice: (909) 787-8589  *  fax: (909) 782-0205