Re: Did I give up on telnet too easily?
From: Peter T. Breuer (ptb_at_oboe.it.uc3m.es)
Date: Sat, 11 Oct 2003 20:57:59 +0200
In comp.os.linux.networking Marcus Lauer <firstname.lastname@example.org> wrote:
> Peter T. Breuer wrote:
> > No, it's YOU who can't think in this instance. Quit being annoying. AC
> > may be an idiot on many things, and quite possibly on this too, but
> > there's no need to act like an even bigger half-wit in reply.
> Okay, hold on. If you're saying that some process, be it a daemon or just
> some program called as part of the login process, changes a user's password
> after they login, then fine. Yes, I can see how that works. What I don't
Good. You got it. Yes, the standard trick is to "sacrifice" a password
ar each telnet login. I do it quite often, since I log in from all over
the world sometimes from kiosks that seem to have nothing but telnet
and no way to download putty. I prepare a second password before I
leave and as soon as I log in via telnet I swap in the prepared "other"
password line into /etc/passwd, using sudo with my shortly-to-be
invalid passwd. That's enough.
One can automate that, but I'm not as crazy as AC so I'm not going to
pretend I do. Nor am I going to suggest other wild schemes such as
changing the password randomly on login and leaving a url behind
for where to mail it to with pgp.
> understand is how that would create a useable system. Are we talking about
> having one-time passwords, e.g. where the user needs a new password every
> time they login?
> I guess my problem is that I don't see that as being very useable. I also
It's quite usable, I assure you! I have to do it quite often!
> like this is the same sort of thing. Yes it can be done. It would also be
> a pain in the ass to use, could be done with ssh just as easily, and still
Except that you forget that you might not have ssh. I'm not quite such
a fool as to forget to prepare myself for that possibility. Or at least
not such a fool as to forget the lesson of experience, when I have
needed such a thing. I rig my mail with a one-time passwd too, that can
be used to execute arbitary commands via mail (and if you think that's
an AC-like fantasy I'll show you the procmail stanza). Been there, done
> assumes some things, e.g. that the user doesn't mistype one letter in an
> obvious password and a quick attacker doesn't take advantage of the
> Now that I think about it, I admit that my reply wasn't very bright. But
That's OK. You proved you could think of the answer.
> next time, if you must reply to a dumb post, reply with facts, not insults.
I found that you were being insulting towards the truth, and did reply
with facts. I pointed out that you were wrong (a fact) and told you
that I would tell you how you could avoid the hole you set out if you
didn't get it (another fact, which I didn't have to potentiate, since
you got it).
> As far as I know, you may have no idea what you're talking about either!
> If you do know what you're talking about, God forbid that you should
> actually educate me, AC, and the rest of the newsgroup rather than just
> throwing around insults. I'm hardly a half-wit, guy. In fact, if what I
> wrote in the last two paragraphs is correct, then I'm the only one here
> who's actually demonstrated any understanding at all of how automatic
> password changing could be implemented and what some of the costs and
> benefits would be.
You are correct.