[19353] in bugtraq
Re: Fwd: Re: Login Failures under Solaris 2.7
daemon@ATHENA.MIT.EDU (bpowell@ENG.SUN.COM)
Fri Feb 23 13:14:36 2001
Message-Id: <200102231539.HAA03710@olympics.Eng.Sun.COM>
Date: Fri, 23 Feb 2001 07:39:20 -0800
Reply-To: bpowell@ENG.SUN.COM
From: bpowell@ENG.SUN.COM
X-To: mblank@BOMBSHELTER.NET
To: BUGTRAQ@SECURITYFOCUS.COM
okay, a side note just for clarification. Packages like ssh WILL NOT
log to loginlog, neither will a back orfice or other shell siting on
some bogus port. Only Telnet and Rsh/Rlogin will get logged this way
(possibly things like ssh compiled to use /bin/login will work as well)
This is a good feature, but doesn't stop a bad-guy only loggs the dumb ones.
Anyone wanting to bypass this will just try login four times, break the session
and re-establish a new session thus re-setting the count to five again.
Honestly folks have your customers use tokens (hard or soft)or One Time Passwords. The whole reuseable replayable password scheme was supposed to
be obsolete in 1979 (unix writers figured it would last 10 years, so 1968 +10
with a little fudge of a year = 1979). It is -way- past time we put it to
rest for good.
Brad
