Xref: utzoo alt.security:725 comp.protocols.tcp-ip:11520 alt.sys.sun:929
Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!mit-eddie!snorkelwacker!think!sdd.hp.com!uakari.primate.wisc.edu!aplcen!unmvax!sci.ccny.cuny.edu!cucard!dasys1!cooper!phri!sci.ccny.cuny.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!ucsd!ogicse!blake!Tomobiki-Cho!mrc
From: mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin)
Newsgroups: alt.security,comp.protocols.tcp-ip,alt.sys.sun
Subject: Re: anonymous ftp, and the dangers thereof
Message-ID: <6703@blake.acs.washington.edu>
Date: 3 Jun 90 07:25:37 GMT
References: <EMV.90Apr18204600@picasso.math.lsa.umich.edu>
Sender: news@blake.acs.washington.edu
Organization: Mendou Zaibatsu, Tomobiki-Cho, Butsumetsu-Shi
Lines: 42

In article <EMV.90Apr18204600@picasso.math.lsa.umich.edu> emv@math.lsa.umich.edu (Edward Vielmetti) writes:
>Despite the widespread use of anonymous FTP, the internet RFC's
>provide no guidelines to its use or configuration.  The conventions
>that define anonymous FTP, its risks, and suggestions on how
>to set up a good FTP site should be collected in the form of
>an RFC on anonymous ftp.

Just as a matter of history, on Tenex and TOPS-20, userid ANONYMOUS
could only write to the PS:<ANONYMOUS> directory (its home directory).
ANONYMOUS could only read files that were on PS:<ANONYMOUS>, group-
accessible to ANONYMOUS (generally never done), or world-readable.

Furthermore, passwords were never stored in any file readable by any
user, even in encrypted form.  The only way to read a password in any
form (including encrypted) was to do a privileged system call.  Anyone
who could do this system call had already broken security (had the
equivalent of root).

The operations which required passwords were system calls which took
the user's attempted password in plaintext.  The encryption algorithm
was in the operating system and there was no specific function to
return the encrypted form of a password (although with enough effort
someone could find out what the encryption algorithm was).  Failed
password attempts were counted, and an excessive failure rate was
cause to bump the user off the system.  Many systems considered *all*
password attempts to be failures at some point before the bump-off
point, so even a valid password would fail.

It worked pretty well.  Most Tenex/TOPS-20 sites had warm fuzzy
feelings about allowing ANONYMOUS and never had any security problems
because of it.  There are lessons to be learned, starting with the
abolishment of /etc/passwd and user access to the encryption
algorithm.
 _____   | ____ ___|___   /__   Mark Crispin           Atheist & Proud
 _|_|_  -|- ||   __|__   /  /   6158 Lariat Loop NE    R90/6 pilot
|_|_|_|  |\-++-  |===|  /  /    Bainbridge Island, WA  "Gaijin! Gaijin!"
 --|--  /| ||||  |___|    /\    USA  98110-2098        "Gaijin ha doko ka?"
  /|\    | |/\| _______  /  \   +1 (206) 842-2385      "Niichan ha gaijin."
 / | \   | |__|  /   \  /    \  mrc@CAC.Washington.EDU "Chigau. Gaijin ja nai.
kisha no kisha ga kisha de kisha-shita                  Omae ha gaijin darou."
sumomo mo momo, momo mo momo, momo ni mo iroiro aru    "Iie, boku ha nihonjin."
uraniwa ni wa niwa, niwa ni wa niwa niwatori ga iru    "Souka. Yappari gaijin!"