Firewall Wizards mailing list archives
RE: Stanford break in
From: "Ames, Neil" <NAmes () anteon com>
Date: Thu, 22 Apr 2004 16:46:52 -0400
Ron, Your gripe with HP is that they should have given you shadow passwords by default instead of only when you switched to Trusted mode--never allowing you to store your crypt-ed passwords in /etc/passwd--right? (That's Solaris behavior out of the box, isn't it?) I have *only* worked in the TCB environment, and don't see it as that big a hassle (any worse that DEC's or IBM's)--though they're all a bit of pain. --Fritz -----Original Message----- From: R. DuFresne [mailto:dufresne () sysinfo com] Sent: Thursday, April 22, 2004 1:11 PM To: Carric Dooley Cc: Chuck Vose; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Stanford break in
Network synced passwords are the only way to manage a large number of users. If you have 10 workstations and 1 server, it might be fine to
have
no network directory, but with 300,000 users, I would say it's
impossible.
I would consider: LDAP, NDS, AD, SecureID, RADIUS, TACACS. (notice the
conspicuous absence of NIS, and I wanted to leave out AD, but it seems
to
be unavoidable these days.
HP made this usless, unless they have finally enabled a shadow setup in new versions of the OS. We played the single sing-on game at nortel, and played with password cracking and all that, but, since 80% of the servers were hp's and they lacked any seperation of passwords from the required /etc/passwd file, users wanting to up their privs on a system just took copies of the /etc/passwd file home and cracked to the point they felt they needed. And our CISSP's spent alot of time putting together all these metrics on strong passwords and how effective they were making security of the network, without facing the reality of the 80% exposure faced. HP folks a few years ago hinted that HP was going to change theit OS to include shadow password implimentations, but, I've long since moved on and these days don;t have to play on much but SUN's and AIX systems, so I do not know if they have something beside the horrid TCB that would break most interal apps for companies and require alot of retrofitting. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Stanford break in, (continued)
- RE: Stanford break in Carric Dooley (Apr 23)
- RE: Stanford break in Victor Williams (Apr 23)
- Re: Stanford break in mlh (Apr 23)
- Re: Stanford break in Luca Berra (Apr 23)
- Re: Stanford break in Chuck Vose (Apr 22)
- Re: Stanford break in Adam Shostack (Apr 22)
- Re: Stanford break in Carric Dooley (Apr 23)
- Passwords (was: Stanford break in) Ben Nagy (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Carric Dooley (Apr 23)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Vin McLellan (Apr 26)
- Re: Stanford break in Adam Shostack (Apr 23)
- Re: Stanford break in Bennett Todd (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 23)
- Re: Stanford break in m (Apr 28)