Re: Did I give up on telnet too easily?

From: Peter T. Breuer (ptb_at_oboe.it.uc3m.es)
Date: 10/11/03 

Date: Sat, 11 Oct 2003 20:57:59 +0200

In comp.os.linux.networking Marcus Lauer <reply@via.newsgroup> wrote:
> Peter T. Breuer wrote:
> > No, it's YOU who can't think in this instance. Quit being annoying. AC
> > may be an idiot on many things, and quite possibly on this too, but
> > there's no need to act like an even bigger half-wit in reply.
>
> Okay, hold on. If you're saying that some process, be it a daemon or just
> some program called as part of the login process, changes a user's password
> after they login, then fine. Yes, I can see how that works. What I don't

Good. You got it. Yes, the standard trick is to "sacrifice" a password
ar each telnet login. I do it quite often, since I log in from all over
the world sometimes from kiosks that seem to have nothing but telnet
and no way to download putty. I prepare a second password before I
leave and as soon as I log in via telnet I swap in the prepared "other"
password line into /etc/passwd, using sudo with my shortly-to-be
invalid passwd. That's enough.

One can automate that, but I'm not as crazy as AC so I'm not going to
pretend I do. Nor am I going to suggest other wild schemes such as
changing the password randomly on login and leaving a url behind
for where to mail it to with pgp.

> understand is how that would create a useable system. Are we talking about
> having one-time passwords, e.g. where the user needs a new password every
> time they login?

Yes.

> I guess my problem is that I don't see that as being very useable. I also

It's quite usable, I assure you! I have to do it quite often!

> like this is the same sort of thing. Yes it can be done. It would also be
> a pain in the ass to use, could be done with ssh just as easily, and still

Except that you forget that you might not have ssh. I'm not quite such
a fool as to forget to prepare myself for that possibility. Or at least
not such a fool as to forget the lesson of experience, when I have
needed such a thing. I rig my mail with a one-time passwd too, that can
be used to execute arbitary commands via mail (and if you think that's
an AC-like fantasy I'll show you the procmail stanza). Been there, done
that.

> assumes some things, e.g. that the user doesn't mistype one letter in an
> obvious password and a quick attacker doesn't take advantage of the
> situation.
>
> Now that I think about it, I admit that my reply wasn't very bright. But

That's OK. You proved you could think of the answer.

> next time, if you must reply to a dumb post, reply with facts, not insults.

I found that you were being insulting towards the truth, and did reply
with facts. I pointed out that you were wrong (a fact) and told you
that I would tell you how you could avoid the hole you set out if you
didn't get it (another fact, which I didn't have to potentiate, since
you got it).

> As far as I know, you may have no idea what you're talking about either!
> If you do know what you're talking about, God forbid that you should
> actually educate me, AC, and the rest of the newsgroup rather than just
> throwing around insults. I'm hardly a half-wit, guy. In fact, if what I
> wrote in the last two paragraphs is correct, then I'm the only one here
> who's actually demonstrated any understanding at all of how automatic
> password changing could be implemented and what some of the costs and
> benefits would be.

You are correct.

Peter

Relevant Pages

  • Re: Did I give up on telnet too easily?
    ... Peter T. Breuer wrote: ... some program called as part of the login process, ... next time, if you must reply to a dumb post, reply with facts, not insults. ...
    (comp.os.linux.networking)
  • Re: ssh brute force attacks
    ... Yeah, right Peter. ... It's extremely unlikely that anyone would turn around a login attempt ... to a DOS attack, and you still ignore that it will be EXTREMELY ... It is EXACTLY what sshd does with MaxStartups; ...
    (comp.os.linux.misc)
  • Re: Did I give up on telnet too easily?
    ... Peter T. Breuer wrote: ... some program called as part of the login process, ... next time, if you must reply to a dumb post, reply with facts, not insults. ...
    (comp.os.linux.security)
  • Re: ssh brute force attacks
    ... As usual, dear Peter, while I truly respect and admire your ... and thus execute a DOS attack. ... Yur login service is now kaput - it ... fails a login. ...
    (comp.os.linux.misc)
  • Re: Did I give up on telnet too easily?
    ... > Peter T. Breuer wrote: ... > after they login, then fine. ... ar each telnet login. ... I found that you were being insulting towards the truth, ...
    (comp.os.linux.security)