login security

eric%cit-vax at sri-unix.UUCP eric%cit-vax at sri-unix.UUCP
Thu Jun 30 06:59:17 AEST 1983


Re: the idea of using smtp to find out valid usernames: many sites  have
finger servers running, and many others have password-less  logins  like
"who" and "finger". Our system records login attempts from  the  arpanet
and several times I have seen a successful "who" login  followed  by  an
unsuccessful login attempt for each of  the  users  already  logged  in!
Thus, to prevent a bad guy from easily getting usernames, out go  finger
servers and "informational" login names. What we have instead is a setup
whereby a file giving the sites that  each  user  can  log  in  from  is
checked by login and by ftp. Since most users do not access the  machine
from other sites, most users are not allowed to at all. Also, login  and
ftp refuse to allow a login from the net if the password is less than  6
characters EVEN IF IT IS CORRECT. In retrospect, I am  glad  I  put  all
this stuff in, because there are several  spurious  attempts  every  day
(particularly, I might add, from somewhere on the ucb-ether network).

				      - Eric Holstege
					(eric at cit-vax)
					(...ucbvax!cithep!citcsv!eric)



More information about the Comp.unix.wizards mailing list