How secure is UNIX? (Re: Stupid man pages)
Jonathan I. Kamens
jik at athena.mit.edu
Thu Jun 7 07:46:07 AEST 1990
In article <720015 at hpclapd.HP.COM>, defaria at hpclapd.HP.COM (Andy
DeFaria) writes:
|> I'm no security guru on Unix but it seems to me that the way around this
|> problem would be to remove this silly restriction and allow ftp (and
|> others?) to send encrypted passwords to the other host.
I thought I already explained this. Sigh.
Let's assume that what you said is possible. In that case, I do the
following:
1. Log into your machine.
2. Grab the encrypted password for root out of the (publicly readable)
/etc/passwd.
3. "Ftp localhost".
4. Use username "root", and the encrypted password I've already snarfed.
Presto, I've just ftp'd as root, without ever knowing the root password!
There is a fundamental concept you're missing -- the act of encrypting
the password and comparing it to the password in /etc/passwd is the
authentication; if you don't do the encryption, you haven't proven anything.
(How many times am I going to have to explain this?)
Jonathan Kamens USnail:
MIT Project Athena 11 Ashford Terrace
jik at Athena.MIT.EDU Allston, MA 02134
Office: 617-253-8495 Home: 617-782-0710
More information about the Comp.unix.questions
mailing list