Oh, I forgot to mention:
> 3. I populate /etc/insecure/passwd with the requisite lines for
> my local UIDs, using hashes of really _bad_ passwords (like
> "password").
> 4. Notify users that they can now POP their mail and ftp files
> in and out of their ~/ftp directories using their usual
> usernames but password (e.g.) "password".
>> This allows people to use two of the three popular plaintext-
> authentication protocols with minimal disruption and without
> compromising system security.
The point of using really _bad_ passwords in /etc/insecure/passwd is as
follows:
1. Users gravitate towards simplicity.
2. It only takes one dumb-ass shell-user action to give the
bad guys shell access.
3. Therefore, if your users _can_ use /usr/bin/passwd to make
their ssh passwords and ftp/pop3 ones the same, at least one
dumb-ass _will_ do so, shooting your security initiative in the
foot.
But the system cracklibs will prevent even the dumbasses from doing
that, because they'll be prevented from specifying "password" or any
other really bad password for the shell password. Thus, the
distinctness of the user's two passwords will be automatically ensured.
--
"Is it not the beauty of an asynchronous form of discussion that one can go and
make cups of tea, floss the cat, fluff the geraniums, open the kitchen window
and scream out it with operatic force, volume, and decorum, and then return to
the vexed glowing letters calmer of mind and soul?" -- The Cube, forum3000.org
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
