[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Netatalk and Password Security [Was: RE: SimplePAMApps-0.50]

[This is way off topic and the last thing I'll post on the subject.

> What's the difference once they get password by sniffing ftp?

My point exactly. I'm not sure what you're trying to say here. One of my
points is why bother changing your netatalk setup when alternate protocols
leave you vulnerable to password sniffing anyhow?

>    > Also, from what I remember about afp, it's "2 way scrambled" which I
>    > suspect isn't exactly strong crypto. If a 3rd party could
> Then you have to talk to Apple, and ask them to enhance their AppleShare so
> that it will support more crypto.

Alex, I'm utterly not understanding the theme of your response here. I
don't use AppleShare. I gave away the last mac I had to my father. If I
want crypto on the wire I'll use AFS so that they can't sniff my file
contents either. 

I'm simply saying that you want to make changes to make your passwords
'unsniffable' by 'encrypting' them on the wire, and that you won't get
what you want because a poor 2 way scramble does not accomplish that goal.

So, to reiterate, there's 2 reasons why passwords will still be sniffed if
you make this change. One is other protocols, and two is (what I assume to
be) an easily reversed "scramble" in the appleshare protocol.

My conclusion (advising against doing this) rests on 2 thinigs: first, the
assumption that if your change gains you nothing then why do it, and
second, the observation that because you have to do a bad thing (store
passwords in cleartext) you would need a fairly good thing (eg TRUE
encryption on the wire, not a reversible scramble, and a complete
elimination of all cleartext transmission of that protocol) to offset it
enough that it would be justifiable on a cost-benefits analysis.

>    > can be extended by the server for a vanilla client. The NT afp
>    > implementation (the last time I saw it was on 3.51, I don't
> All I want for now is to do what I need.

I am not sure how you define your needs, but if you define them as having
a single password solution for your users, the cleartext transmission of
passwords to netatalk gets you that. If your needs include the cessation
of all cleartext transmission of a users's password to keep it safe from
sniffing, this change won't help you any unless you plan on coming up with
mac clients for email and whatever else they do that transmits cleartext

To be totally honest, I think perhaps I may have been lacking in tact in
my original email, sufficient enough to get this sort of terse reply from
you. For that I apologize. If we're not meeting up here on this issue then
I'll accept my portion of the responsibility. In any case I'm prepared to
let the thread die, I don't feel any overwhelming desire to tell you how
to do your job...

Best Regards, and thanks (as a a former Mac user) for putting in the extra
effort to support Macs on your networks properly rather than just forcing
some sort of migration. That's all too common these days.

Jim Hebert

"[T]hey said something to the effect that Linux has 'the tendency not to 
crash.' ... It's like me listing 'the tendency not to murder people' as one of
my good character traits. :-> It seems that people have grown so accustomed to
buggy OS's that when Linux simply does what it's supposed to do, it comes 
across as something new and different." Scott Webster on linux-biz 20 Feb 1999

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []