Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!rpi!uupsi!sunic!ugle.unit.no!lilje.uib.no!eik.ii.uib.no!usenet From: sigurd@ii.uib.no (Sigurd Meldal) Newsgroups: comp.sys.mac.comm Subject: Re: TelNet File Protection??? Message-ID: <1991Apr23.072617.7975@eik.ii.uib.no> Date: 23 Apr 91 07:26:17 GMT References: <803.280d8689@zodiac.rutgers.edu> <6234@crystal.UUCP> Organization: Institutt for Informatikk, UiB, Bergen, Norge Lines: 43 In article <6234@crystal.UUCP> derosa@motcid.UUCP (John DeRosa) writes: >garrison@zodiac.rutgers.edu writes: > >>I've seen several posts refering to the security risks of telnet (in that if >>telnet is open, anyone can ftp over to your system and copy to their hearts >>content). Is it possible to, say, set the protection on certain applications >>and files so that they will be inaccessable to anyone logging into your >>system (or, better yet, invisible)? (But remain useable and visible to >>people actually using the Mac). This would enable us to just leave telNet >>open under multifinder. > >There are two distinct ways to prevent prying eyes. The first one will work >while the second way is better (IMHO). ... >2) In your config.tel, add the line passfile="ftppass". This tells >TelNet to look in your system folder for a file called ftppass that >contains passwords for ftp users. In this way, each person trying >to ftp to you Macintosh must supply a userid and a password, i.e. >they must log in. The ftppass file is created with the telpass >application that you should have gotten with TelNet. I have only one quibble with this one. Since the ftppass file is in a fixed location, any user which has ftp access may upload a new ftppass file, changing the set of user/password pairs. A slight (and sufficient?) improvement is to use a different name and/or location for the password file, not the default, and better yet, embed mac-specific characters in that name, e.g. a greek letter. That makes it harder for a potential miscreant in two way - she may not know what the password file is named, and secondly, if she did then it is not always obvious how to upload a new file since ftp seems only to use the standard 7 bit ascii character set, translating the 8 bit mac characters in names into 7 bit ascii (presumably just dropping a bit). When you change the filename, remember to change it in the config.tel file as well :-). Sigurd -- Department of Informatics | Arpa:sigurd@ii.uib.no Hoyteknologisenteret | meldal@anna.stanford.edu N - 5020 Bergen | Uucp: ...decwrl!glacier!shasta!anna!meldal Norway |