Ok, for starters i have no choice. This security package, which is
called SRP (Secure Remote Passwords) is being used as part an internet
solution my company is deploying. The boss wants it working, so it's
my job to get it working. And don't anyone suggest that I try and
change his mind, I gave up on trying things like that long ago. But
the main reason we are doing it is because the windows client that
is being used supports the SRP encrypted telnet sessions.
I've also just been told that the reason md5 has to be disabled is
because the chk_pwd program does not understand the pam password
scheme yet. Now, wot package this chk_pwd program is part of, I
don't know, as i don't think it's part of SRP. And as far as i can
tell, the su, login and passwd programs that are part of SRP still
support md5 and are only replaced so that added support for SRP
encrypted passwords can be added. These passwords are also kept
in a separate file and used in parallel with /etc/passwd .
/etc/passwd is not replaced.
Also, SRP does support FTP sessions as well. Hope this makes things
a little clearer.
Jamie
-----Original Message-----
From: Alan Mead [mailto:[EMAIL PROTECTED]]
Sent: Friday, 5 November 1999 9:03
To: [EMAIL PROTECTED]
Subject: RE: MD5 Passwords
At 02:41 PM 11/4/99 +1100, you wrote:
>Well, just so u know, and i'm no security buff, but the package
>doesn't support md5 passwords during the installation (or something
>like that).. But when I install the SECURITY package it replaces
>programs such as 'su', 'login', 'passwd' and all such related files
>with SECURE versions, which actually use 1024-bit encrypted passwords.
>It even replaces in.telnetd so that the telnet connection itself is
>encrypted. But it needs to be able to read the existing passwords
>to be able to update them to the new encrypted ones from what i can
>gather.
OK, I'll bite. What's this security package for?
I don't think anyone questions the security of MD5 passwords against
ordinary crackers (i.e., those without super computers). It is true
that
passwords are the most common "weak link" but this is typically through
weak passwords (e..g, joe:joe) or sniffing. So I don't understand why
you
want to replace su, login, passwd, etc.
Now the new telnet client (to thwart sniffing) sounds neat but SSH seems
to
be shaping up to a standard and also seems to be widely used. It is not
terribly expensive and free for non-commercial use. And there is a
freeware version in the works. And SSH2 supports FTP (telnet can be as
secure as you like, if unencrypted user FTP connections are allowed
you'll
still be vulnerable). And you realize that the telnet client has to
support the encryption? So I guess you'll only be able to telnet in
from
other Linux (UNIX?) machines that support that package.
-Alan
---
Alan D. Mead / Research Scientist / [EMAIL PROTECTED]
Institute for Personality and Ability Testing
1801 Woodfield Dr / Savoy IL 61874 USA
217-352-4739 (v) / 217-352-9674 (f)
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
