[4240] in bugtraq
Re: Password problem in Trumpet Winsock.
daemon@ATHENA.MIT.EDU (Paul Melson)
Mon Apr 7 15:19:23 1997
Date: Mon, 7 Apr 1997 09:53:07 -0400
Reply-To: Paul Melson <melson@SCNC.HOLT.K12.MI.US>
From: Paul Melson <melson@SCNC.HOLT.K12.MI.US>
X-To: null@WEB.PIEDMONT.EDU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199704062046.QAA03827@web.piedmont.edu> from null at "Apr 6,
97 04:39:27 pm"
> It is possible to open trumpwsk.ini, take the encrypted string for the
> $password= variable, and place it in the ppp-username= variable. This,
> allows one to start up tcpman.exe,g oto File > PPP Options and get the
> user's password.
Unfortunately, your end users are always going to be
the weakest link in your 'security chain' so to speak.
There are lots of possibilities, but it is probably a
good idea to authenticate your dial-up users and your
shell users seperately, and discourage (if not prevent)
their using the same password in each case.
For those of you who are using Trumpet Winsock and
Trumpet TCPManager to do dial-up, you can prevent
the use of the $password variable by simply removing
it from the [default vars] heading of the TRUMPWSK.INI
file, and using a prompt in your LOGIN.CMD like this:
if ![load $password]
if [password "Enter your login password"]
end
end
I haven't seen a recent release of Trumpet Winsock,
so I don't know, but I think this might even be the
standard post-install configuration.
Paul
--
_____________________
melson@holt.k12.mi.us
