|
|
| Author |
Message |
jimj
|
|
Expired passwords and SSH
| 
Mar 19 19:02 UTC 2004 |
Last night I attempted my bi-monthly Grex login to keep my account
alive and purge junk mail. I connect to Grex via ssh. Upon entering
my password I got "Access Denied." I talked to a fellow grexxer about
this and was told that if my password was expired I had to telnet in to
change it first. My question is, why? The point of forcing password
changes is security. Why must I login via an insecure protocol to
update my password?
|
| 18 responses total. |
aruba
|
|
response 1 of 18:
|
Mar 19 19:16 UTC 2004 |
As I understand it, this is a problem with SSH on Grex - it's too dumb to be
able to deal with the response it gets from the login program when a
password has expired.
Best thing is to log in via telnet, change the password, logout, then log in
via ssh and change it again.
|
jimj
|
|
response 2 of 18:
|
Mar 19 20:27 UTC 2004 |
I did log in via telnet to change my password, however telnet is
completely insecure. My new "secure" password was transmitted in plain
text across the connection. It seems to defeat the purpose of
mandetory password cycling if a user who already is security-conscious
is forced to used insecure protocols. Is grex really gaining anything
by password expiration? As it is a majority of us simply change our
password to a dummy password, then re-run `passwd` to return it to our
previous password.
|
mdw
|
|
response 3 of 18:
|
Mar 19 21:02 UTC 2004 |
We can't stop people from being "stupid". Sshd should do something
better with expired passwords. Unfortunately it's very hairy code and
we already have other ugly hacks in to sort of deal with the telnet
queue stuff. At this point, all this stuff isn't likely to change until
we move onto new hardware.
|
tod
|
|
response 4 of 18:
|
Mar 19 23:59 UTC 2004 |
This response has been erased.
|
russ
|
|
response 5 of 18:
|
Mar 20 01:34 UTC 2004 |
So, for those of us who would like to keep track of such things:
How do we find out how long until our passwords expire?
Why can't we turn password expiration OFF?
|
scott
|
|
response 6 of 18:
|
Mar 20 02:11 UTC 2004 |
One year, and no you can't turn it off.
|
gelinas
|
|
response 7 of 18:
|
Mar 20 02:42 UTC 2004 |
I've not been able to find anything that tells me when I last changed my
password. I know that login will remind us to change it, when we get close
to the expiration, but that only works with telnet.
If you change your password every month or so, you'll never have to worry
about your passworrd expiring.
|
styles
|
|
response 8 of 18:
|
Mar 20 03:53 UTC 2004 |
or reembering your password..
|
gelinas
|
|
response 9 of 18:
|
Mar 20 04:21 UTC 2004 |
(I make occasion to use my new password four or five times, immediately after
changing it. Just for practice.)
|
richard
|
|
response 10 of 18:
|
Mar 20 05:43 UTC 2004 |
for the non-techie ones of us, just how insecure is telnet? Is it in fact
possible for your password to be compromised by typing it in while using
telnet? is it really perceptibly safer to use ssh?
|
spooked
|
|
response 11 of 18:
|
Mar 20 06:49 UTC 2004 |
ssh adds channel (session) security, so anyone with (network line) access
between your computer/ISP port and Grex cannot legibily translate anything
you type or is sent back - whereas with telnet anyone with (network line)
access can read anything you send/receive quite easily with
packet/application flitering software.
|
tod
|
|
response 12 of 18:
|
Mar 20 15:26 UTC 2004 |
This response has been erased.
|
styles
|
|
response 13 of 18:
|
Mar 20 19:25 UTC 2004 |
excellent work, todd.
|
soup
|
|
response 14 of 18:
|
Mar 21 00:24 UTC 2004 |
Well done, tod!
|
spooked
|
|
response 15 of 18:
|
Mar 21 00:40 UTC 2004 |
Except the sealed envelope can be easily opened along transmission,
whereas with ssh you would need access to the endpoints (for reading the
encrypting keys).
|
tod
|
|
response 16 of 18:
|
Mar 22 17:56 UTC 2004 |
This response has been erased.
|
malymi
|
|
response 17 of 18:
|
Mar 31 19:43 UTC 2004 |
telnet need not be insecure. if kerberos is used with the new system it
should be possible to negotiate a totally secure session using telnet.
|
jesuit
|
|
response 18 of 18:
|
May 17 02:14 UTC 2006 |
TROGG IS DAVID BLAINE
|