Last night I attempted my bi-monthly Grex login to keep my account alive and purge junk mail. I connect to Grex via ssh. Upon entering my password I got "Access Denied." I talked to a fellow grexxer about this and was told that if my password was expired I had to telnet in to change it first. My question is, why? The point of forcing password changes is security. Why must I login via an insecure protocol to update my password?18 responses total.
As I understand it, this is a problem with SSH on Grex - it's too dumb to be able to deal with the response it gets from the login program when a password has expired. Best thing is to log in via telnet, change the password, logout, then log in via ssh and change it again.
I did log in via telnet to change my password, however telnet is completely insecure. My new "secure" password was transmitted in plain text across the connection. It seems to defeat the purpose of mandetory password cycling if a user who already is security-conscious is forced to used insecure protocols. Is grex really gaining anything by password expiration? As it is a majority of us simply change our password to a dummy password, then re-run `passwd` to return it to our previous password.
We can't stop people from being "stupid". Sshd should do something better with expired passwords. Unfortunately it's very hairy code and we already have other ugly hacks in to sort of deal with the telnet queue stuff. At this point, all this stuff isn't likely to change until we move onto new hardware.
This response has been erased.
So, for those of us who would like to keep track of such things: How do we find out how long until our passwords expire? Why can't we turn password expiration OFF?
One year, and no you can't turn it off.
I've not been able to find anything that tells me when I last changed my password. I know that login will remind us to change it, when we get close to the expiration, but that only works with telnet. If you change your password every month or so, you'll never have to worry about your passworrd expiring.
or reembering your password..
(I make occasion to use my new password four or five times, immediately after changing it. Just for practice.)
for the non-techie ones of us, just how insecure is telnet? Is it in fact possible for your password to be compromised by typing it in while using telnet? is it really perceptibly safer to use ssh?
ssh adds channel (session) security, so anyone with (network line) access between your computer/ISP port and Grex cannot legibily translate anything you type or is sent back - whereas with telnet anyone with (network line) access can read anything you send/receive quite easily with packet/application flitering software.
This response has been erased.
excellent work, todd.
Well done, tod!
Except the sealed envelope can be easily opened along transmission, whereas with ssh you would need access to the endpoints (for reading the encrypting keys).
This response has been erased.
telnet need not be insecure. if kerberos is used with the new system it should be possible to negotiate a totally secure session using telnet.
TROGG IS DAVID BLAINE
You have several choices: