Full Disclosure mailing list archives

Re: Re: Re: Re: open telnet port

From: ktabic <lists () ktabic co uk>
Date: Sat, 11 Sep 2004 22:04:44 +0000

On Fri, 2004-09-10 at 14:16 -0700, Andrew Farmer wrote:

Given that above description, there is no mention of anybody sending
anything that even looks like a password over the net in plain text.
Of course, most people would be, but not everyone.
You are also presuming that the root account even requires logging in,
which is also not nessercary.


What, are you advocating that we set our root accounts to not require
a password to log in?


*sigh* Who said anything about root accounts with no passwords? Or is
that just the limit that you can go to? An why even use the root
account? Attempted root logins can be used as an indicator that
something (or someone) is trying to gain access. And it is a generally
unwise idea to log in as root, especially remotely. You might break you
system and not be able to fix it. Which is precisly how we got to this
topic in the first place.
There are other ways you know.
(Point of fact, of the triad of authentification systems, something you
know, something you have and something you are, something you know is
the worse of them, and if you are *really* intrested in secure logins,
with or without encryption, you don't just use something you know)

There is nothing wrong with plain text at all, in most circumstances.
It's just that *everyone* has presumed that passwords that are a) 
reused
for the next session and b) the root one, will be sent in plain text.


As far as I know, there are no current Telnet server implementations 
that
will encrypt login passwords (or other passwords entered during the 
login
session: the user's password for su or sudo, gpg passphrases, ...)

Ah, you are so close! sudo doesn't always need a password, btw.
And that isn't just the limit, either. Ever tried OPIE?

Of course, if you know you are sending in plain text, you take steps to
make sure that nothing critical is transmitted in the first place,
which, imho is a better situation than relying totally on the fact you
are encrypted, which may or may not be true.


Not plaintext === encrypted.

What are you trying to say here?


Should be easy enough. Plaintext == not encrypted, however, plaintext
doesn't mean critical information being passed across the net in the
first place. See where I'm coming from now? It always struck me as an
easy enough concept.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Re: Re: open telnet port, (continued)
- - - Re: Re: Re: open telnet port Kenneth Ng (Sep 09)
    - Re: Re: Re: open telnet port Volker Tanger (Sep 09)
    - Re: Re: Re: open telnet port Dave Ewart (Sep 09)
    - Re: Re: Re: Re: open telnet port ktabic (Sep 10)
    - Re: Re: Re: Re: open telnet port Andrew Farmer (Sep 10)
    - Re: Re: Re: Re: open telnet port Gary E. Miller (Sep 10)
    - Re: Re: Re: Re: open telnet port Andrew Farmer (Sep 10)
    - Re: Re: Re: Re: open telnet port Gary E. Miller (Sep 11)
    - Re: Re: Re: Re: open telnet port Andrew Farmer (Sep 11)
    - Re: Re: Re: Re: open telnet port Gary E. Miller (Sep 12)
    - Re: Re: Re: Re: open telnet port ktabic (Sep 11)
    - Re: Re: Re: open telnet port Barry Fitzgerald (Sep 09)
    - Re: Re: Re: open telnet port Raj Mathur (Sep 09)
    - Re: Re: Re: open telnet port Barry Fitzgerald (Sep 10)
    - Re: Re: open telnet port A.J. (Sep 09)
- Re: open telnet port harry (Sep 07)
- Re: open telnet port cel0x (Sep 07)
- Re: open telnet port A.J. (Sep 07)
- Re: open telnet port David Huecking (Sep 07)
- Re: open telnet port Kenneth Ng (Sep 07)
- Re: open telnet port Riccardo Pizzi (Sep 07)

(Thread continues...)