Firewall Wizards mailing list archives

Re: Lotus Domino as an access control to internal network

From: Aleph One <aleph1 () dfw net>
Date: Fri, 6 Mar 1998 11:09:53 -0600 (CST)

On Thu, 5 Mar 1998, Rik Farrow wrote:

Aleph One <aleph1 () dfw net> may have written:

The password only unlocks your RSA key. The session key is used to
exchange a randomly generated session key. There is no need for one time
passwords.


True enough.  But when I last looked at Notes (about 8 months
ago), I learned that Notes permits password guessing, adding a 30
second delay with each failed attempt, but no lockout and no logging.
Guessing the password using a dictionary attempt doesn't get you
into Notes because RSA is also used.  However, users typically
maintain the same password everywhere they login.  So using a Notes
server to guess a users password might provide access to other 
servers as well (for example, terminal servers with internal
network access, but lockouts on password guessing).


Your statement does not make sense. Who are you planning to guess the
password using a dictionary attack unless you also have the user's USER.ID
files? And if you have the USER.ID file and do guess the password you have
already broken in.

Regards,
Rik


Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Current thread:

Re: Lotus Domino as an access control to internal network Andreas Siegert (Mar 02)
- <Possible follow-ups>
- Re: Lotus Domino as an access control to internal network Rik Farrow (Mar 06)
  - Re: Lotus Domino as an access control to internal network Aleph One (Mar 06)
- Re: Lotus Domino as an access control to internal network Rik Farrow (Mar 06)
  - Re: Lotus Domino as an access control to internal network Aleph One (Mar 06)