At 02:41 PM 11/4/99 +1100, you wrote:
>Well, just so u know, and i'm no security buff, but the package
>doesn't support md5 passwords during the installation (or something
>like that).. But when I install the SECURITY package it replaces
>programs such as 'su', 'login', 'passwd' and all such related files
>with SECURE versions, which actually use 1024-bit encrypted passwords.
>It even replaces in.telnetd so that the telnet connection itself is
>encrypted. But it needs to be able to read the existing passwords
>to be able to update them to the new encrypted ones from what i can
>gather.
OK, I'll bite. What's this security package for?
I don't think anyone questions the security of MD5 passwords against
ordinary crackers (i.e., those without super computers). It is true that
passwords are the most common "weak link" but this is typically through
weak passwords (e..g, joe:joe) or sniffing. So I don't understand why you
want to replace su, login, passwd, etc.
Now the new telnet client (to thwart sniffing) sounds neat but SSH seems to
be shaping up to a standard and also seems to be widely used. It is not
terribly expensive and free for non-commercial use. And there is a
freeware version in the works. And SSH2 supports FTP (telnet can be as
secure as you like, if unencrypted user FTP connections are allowed you'll
still be vulnerable). And you realize that the telnet client has to
support the encryption? So I guess you'll only be able to telnet in from
other Linux (UNIX?) machines that support that package.
-Alan
---
Alan D. Mead / Research Scientist / [EMAIL PROTECTED]
Institute for Personality and Ability Testing
1801 Woodfield Dr / Savoy IL 61874 USA
217-352-4739 (v) / 217-352-9674 (f)
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
