[36] in linux-security and linux-alert archive
Re: Shadow Passwords?
daemon@ATHENA.MIT.EDU (Piers Cawley)
Tue Mar 7 07:35:19 1995
Date: Tue, 7 Mar 1995 10:29:50 +0000 (GMT)
From: Piers Cawley <pdcawley@ftech.co.uk>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0rlqfM-000xCVC@hq.jcic.org>
Reply-To: linux-security@tarsier.cv.nrao.edu
On Mon, 6 Mar 1995, Daniel Hollis wrote:
> Indeed. We run an ISP and have around 250 accounts. It doesn't take much
> for an outsider to coerce one of your newbie users to send them a copy of
> /etc/passwd by telling them to "/dcc send dork /etc/passwd" from IRC.
Consider running as a slip/ppp only site... We don't give our users shell
accounts at all (and the telnet/rlogin ports are blocked out by our
routers), they get thrown straight into pppd/diplogin so they don't get
to go near our /etc/passwd file -- a telnet connection throws them
straight into /sbin/passwd, which I'm probably going to replace with
something a little more proactive and less prescriptive than the version
in the shadow suite.
Piers Cawley -- Systems Sheriff on the Frontier Internet Service
Frontier Internet -- Sellers of Web Space and Internet Connectivity
