new password idea
John F Haugh II
jfh at rpp386.cactus.org
Fri Apr 26 09:19:30 AEST 1991
In article <1991Apr25.000323.7702 at mp.cs.niu.edu> bennett at mp.cs.niu.edu (Scott Bennett) writes:
> Of course. One cannot, it would seem, have it both ways. Therefore,
>one must choose the lesser of the evils. In our shop, we have taken the
>view that denial is better than unauthorized access because denial of
>access leaves everything intact, whereas that cannot be guaranteed in
>the case of unauthorized access.
One can have it both ways - define accounts that may only be accessed
from secure ports, but which have no login failure limit. These accounts
can't be attacked from outside the system since even knowing the privileged
password won't yield a login, though being logged in and trying "su" might.
Denial of service is no longer an issue for those accounts, and the
hacker now needs access to some "secure" port, which presumably we are
able to protect, just as we protect our disks and tapes and CPU cabinets.
There are ways to defang the denial of service boogey man - timeouts on
restrictions, changing the restriction to being based on the port that
is being attacked, slowing down the login process so that it still
works but just takes longer, etc. The notion behind this scam is that
we want to deny the hacker an unlimited number of trials at the
authentication process. Any way you do this is fair, outright login
denial is just the lazy way out.
--
John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) | Domain: jfh at rpp386.cactus.org
"If liberals interpreted the 2nd Amendment the same way they interpret the
rest of the Constitution, gun ownership would be mandatory."
More information about the Comp.unix.internals
mailing list