NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ssh scans




On Oct 27, 2009, at 8:57 PM, Greg A. Woods wrote:

At Tue, 27 Oct 2009 04:58:09 -0400, Steven Bellovin <smb%cs.columbia.edu@localhost > wrote:
Subject: Re: ssh scans

That depends on how bad your users are with password choices. Some of
my students lost some VMs to attackers who got in via just this
mechanism.

A _long_ time ago I submitted patches for NetBSD that incorporated a
"standard" password cracking tool proactively as countermeasures to
prevent users from choosing obviously poor passwords in the first place.

Sadly the PR was closed after an very much inferior, incomplete, and
actually unused solution was added to NetBSD.

Even then it took 5 years for the PR to be addressed, and another 4
years later the resulting "solution" (if I dare call it such) is still
not yet properly documented or cross-referenced in all the relevant
places, nor is it even enabled in any way in passwd(1) or any other
password setting tool.

Meanwhile all too many sites still rely on passwords for authentication,
and sites running NetBSD continue to be hacked due to lack of using
commonly available cracking tools as countermeasures.

Until the ability to use passwords is ripped entirely out of the OS, we
obviously still need to use common password cracking techniques as
countermeasures to prevent users from choosing weak passwords.  As I
asked in the title of my old PR, of what use are 128-byte passwords if
people can still choose easily guessable ones?

No, I'm not _really_ bitter -- I still use the code I wrote to integrate cracklib, but I am sad that the poor attitudes of a few have prevented it
from directly benefitting many others who use NetBSD.

My incident was on Linux, that being the supported OS at $DAYJOB...

                --Steve Bellovin, http://www.cs.columbia.edu/~smb







Home | Main Index | Thread Index | Old Index