On Tue, 2 Mar 2004, Mac Mason wrote:
> I don't suppose I could have the IP address of that box, too?
>
> :-p
:-) It's my server (nevaeh-linux.org), go for it.
> I sincerely hope that that isn't what it appears to be; why on earth
> would it echo passwords in plaintext?
You're talking about an ASCII protocol that does no terminal handling,
whatsoever, so it's not going "blank" it from the screen. Besides which, what
would be the point? It's still being delivered across the wire in plain text,
just as if you telneted to a normal login prompt. Screen-level visibility is
the least of your problems at that point.
> (That being said...you might want to change your password, if that
> happens to be it)
;-) I was amusing myself, that was a temporary password. I'm very surprised
to see that there were no authentication failures in my logs, actually. I
would have thought there would have been at least one joker that would have
tried to jump on my server and change the password for chuckles.
In any event, that example should serve as a good cautionary measure for
anyone dealing with any of the non-ssl-enabled services, be it vanilla FTP,
POP3, or whatever. Your password can easily be sniffed off the wire.
How paranoid is the average AKLUG'er here? I don't do telnet, I use scp in
lieu of FTP, and I don't even do POP3 or IMAP since I use a local mail client
from a shell on the server (which I access via ssh). Hell, I don't even
expose a password to my CVS server, instead I do local port forwarding over an
ssh tunnel to do my commits. :-) Anyone else taking more steps to prevent
passwords blasted in the clear?
--Arthur Corliss
Bolverk's Lair -- http://arthur.corlissfamily.org/
Digital Mages -- http://www.digitalmages.com/
"Live Free or Die, the Only Way to Live" -- NH State Motto
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Mar 2 07:19:52 2004
This archive was generated by hypermail 2.1.8 : Tue Mar 02 2004 - 07:19:52 PST