Path: utzoo!attcan!ram
From: ram@attcan.UUCP (Richard Meesters)
Newsgroups: comp.unix.questions
Subject: Re: How secure is UNIX?
Keywords: Security, ftp
Message-ID: <11513@vpk1.UUCP>
Date: 29 May 90 17:45:38 GMT
References: <100928@<1990May23> <9000030@m.cs.uiuc.edu> <1990May29.124526.13935@athena.mit.edu>
Organization: AT&T Canada Inc., Toronto
Lines: 44

In article <1990May29.124526.13935@athena.mit.edu>, jik@athena.mit.edu (Jonathan I. Kamens) writes:
> In article <36584@ucbvax.BERKELEY.EDU>, lauther@janus.Berkeley.EDU
> (Ulrich Lauther) writes:
> |> I just wonder why not the same technique is used with .netrc as with
> |> /etc/passwd: have the file readable, but sensitive parts encrypted?
> 
>   Because this makes the .netrc file useless for its intended purpose.
> 
>   The .netrc file is meant to save you the effort of typing your
> password when you ftp to another host, or to allow you to use ftp in a
> shell script without you there to watch it.
> 
>   At some point, ftp has to be able to send your password in cleartext
> over the network to the other host (that, in itself, is of course a
> security hole, but what the hell, it isn't *too* painful to assume that
> your network is secure :-).  An encrypted password simply isn't good enough.


The point is, however valid.  If you are going to use a .netrc, why cant it be
more like the passwd system.  This merely means that the ftp program must
provide the facilities for encryption/decription of the password, rather than
leaving it up to the user to do so himself.  

Using a .netrc, or any type of script to save the effort of typing in a
password when going between systems is not only lazy but stupid.  The idea of 
a password is, after all to provide a measure of security to your data, and
the system.  Automating the process negates any good effect this might have.

One other point.  I'm not too sure, but since Dan was burned twice, is it true
then that he must have had the same password combination used for several 
different machines (or at least two).  Couldn't the damage have been 
minimalized by having different .netrc/passwords for each machine?

Regards,

------------------------------------------------------------------------------
     Richard A Meesters                |
     Technical Support Specialist      |     Insert std.logo here
     AT&T Canada                       |
                                       |     "Waste is a terrible thing
     ATTMAIL: ....attmail!rmeesters    |      to mind...clean up your act"
     UUCP:  ...att!attcan!ram          |
------------------------------------------------------------------------------