Hi Everyone,
I didn't receive a huge number of responses but as usual, those that did
arrive were excellent.
My original question was in two parts:
1) In the absence of C2, was anyone using Cracker as a means to enforce
good passwords. And if so, were there any pitfalls to this technique.
2) Could anyone recommend a good, simple, firewall.
Thanks go to the following--not only for taking time to write, but in a few
cases for taking time to answer follow-up questions too.
Richard Eisenman <eisenman_at_sanjuan.tricity.wsu.edu>
"Craig I. Hagan" <hagan_at_cih.com>
Kai Grunau <kgrunau_at_ifm.uni-kiel.de>
tcantin_at_WELLESLEY.EDU (Tim Cantin)
Bryan Dunlap <bcd_at_heinlein.mps.ohio-state.edu>
Martin Mokrejs <mmokrejs_at_prfdec.natur.cuni.cz>
Jim Belonis <belonis_at_dirac.phys.washington.edu>
SOLUTION:
1) Jim was the only one brave enough to admit to having touched Cracker.
His experience convinced me (although I never wanted to mess with it in the
first place) that it isn't worth the hassle -- at least for a system like
ours which is *only* used to process E-mail.
"We ran cracker for 80,000 minutes on an SGI Indy without finishing
checking 600 users on all its dictionaries. You probably should consider
dedicating a machine to running cracker if people might change their
password to something bad any old time."
As an alternative to the Password Plus program that I tried to use, Bryan
recommended using "npasswd" found at
http://uts.cc.utexas.edu/~clyde/npasswd/
Craig suggested using OPIE (the new version of S/KEY), but it sounds too
complex for our users...plus it too requires modifications to Popper.
Nonetheless, if you are looking for a more rigorous passwd replacement,
this sounds like the ticket.
Martin also mentioned S/KEY but said that KERBEROS is another good
alternative. He reports that it "cracks" the password when a user tries to
create a new one and also offers the ability to send encrypted data. An
additional benefit is that he isn't aware of any crackers for kerberos.
2) Everyone recommended running tcp_wrappers as a simple firewall. I have
to admit to being a real newbie when it comes to this stuff, so after some
digging I discovered that I *already* have tcp_wrappers running on my
system. (blush) For those who don't, it can be obtained from:
ftp://ftp.win.tue.nl/pub/security.
Thanks again! And to all of you who are weary of security
questions...thanks for tolerating my posting.
Cheers,
Debby
Received on Wed Oct 08 1997 - 19:20:42 NZDT