> Just a bit of confusion there. Some people are aware of a hole in C2 and
> see this as an opportunity to get peoples accounts on other systems within
> UTS as most people have a single password. Of course this is frowned upon,
> but what can you do?
> Besides, they don't even need to go through C2. If they are root they can
> just use those wonderful net-monitoring utilities to snarf passwords.
> Things are going to stay this way until we run kerberos and kerberos
> clients are available on SoCS and ITD machines.
There is another solution, how about considering one of the new
progressive non-reusable password systems such as S/Key from
Bellcore, et al. Not only does this solve the problem of having
passwords snooped, but maybe it'll help to educate the next
generation of system administrations towards better security
measures. [ref: ftp://crimelab.com/pub/skey/skey*]
For the uninitiated, with S/Key your password changes upon
every login, and no cleartext passwords are stored on the
system. Any snooping of passwords is ineffective, because the
password becomes redundant after successfull use (the next
password is generated by an iterative pass through a one-way
hash). The (minimal) downside is that you need to use client
software to "pregenerate" the passwords you use for subsequent
logins. These passwords are composed of six words, each being
1 to 4 letters in length. It is possible to generate say your
next 100 passwords, print them out and carry them around in
your wallet though.
Of course it isn't as convenient as traditional methods, but
such will be future authentication systems.
Though kerberos is a pretty neat solution, even if it does have
a problem in multiuser environments with leaving valid tickets
lying around in public places ;-)
-- Matthew Gream Consent Technologies Sydney, (02) 821-2043 M.Gream@nospam.uts.edu.au