Path: utzoo!attcan!uunet!snorkelwacker!spdcc!ima!minya!jc From: jc@minya.UUCP (John Chambers) Newsgroups: comp.protocols.tcp-ip Subject: Re: anonymous ftp, and the dangers thereof Message-ID: <396@minya.UUCP> Date: 9 Jun 90 18:28:09 GMT References: <1990Apr21.222928.24498@Solbourne.COM> Followup-To: alt.security,comp.protocols.tcp-ipcomp.protocols.tcp-ip Lines: 37 In article <1990Apr21.222928.24498@Solbourne.COM>, imp@dancer.Solbourne.COM (Warner Losh) writes: > > In article <6703@blake.acs.washington.edu> > mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin) writes: > >... There are lessons to be learned, starting with the > >abolishment of /etc/passwd and user access to the encryption > >algorithm. > > Sorry. There are too may passwd files out there to do this. Shadow > files might help, but then again they might not. Logistics isn't the only problem; an unreadable password file can decrease security in some situations. I've written several packages that, when talking across a comm line that needs extra security, will occasionally say, in effect, "I'm not sure you are who you claim to be; please type your password: " On a system with an unreadable encrypted password, the application (which isn't running as super-user) is denied read access and can't check the password for validity. So when the software is ported to such systems, this checking normally just gets #ifdeffed out (so we can get the application delivered on time ;-). Now it's true that there are other solutions possible. But until they are available, what do you suggest I and other developers without access to the kernel do? Remember that we're all trying to get products out the door, and most of us aren't security experts. What usually happens, in fact, is that such applications have their own encrypted-password file, but since it was set up by non-experts in security, it is even less secure than /etc/passwd ever was. -- Uucp: ...!{harvard.edu,ima.com,mit-eddie.edu}!minya!jc (John Chambers) Home: 1-617-484-6393 Work: 1-508-952-3274 Cute-Saying: It's never to late to have a happy childhood.