> I'm trying to decide right now if there should be many accounts on the
>gateway - or just one user account (yes, barring all the usual system
>accounts). Basically, the banner tells the user to log in as "guest"
>with pass "guest" - and the user "guest" has a telnet> prompt.
If you do that, you can forget ever keeping out anyone you didn't invite.
Not only can I give away the password (not that guest isn't the first
one I'd guess anyway) but I can do so without you knowing it
was me who gave it away. If I've got my own, at least you can guess
that it was me that posted it to alt.2600, after 100 uninvited people
show up.
>I'd like
>to have it that the users can encrypt their connections from the gateway
>to each machine, but without giving them a shell on the gateway, it's
>difficult. Ideas?
SSH again is the closest you'll get, I think. Any other attempted solution will
not work across that wide a variety of machines.
> I don't want to police it heavily. I also don't want Joe Average User
>to be able to log in and start trouble. I think this will happen fairly
>quickly - the crowd I'm hoping to attract isn't the CURRENT usenet
>majority of "dumb people with smart terminals", but the majority from
>six years ago - "smart people with dumb terminals".
My complaint about the happy hacker contests (yes, I'd like to poke
around in there when I'm bored) is that the machines are so heavily
loaded down with script kiddies, I can't get in. Or, when I do, I can't
get a keystroke in edgewise.
Requiring SSH, then a unique name and password on the gateway
that had to be applied for, followed by having to have some account
on the inside boxen, will help keep the noise down somewhat.
> See, there's the question. I can't think of ways to keep that safe.
>One-time passwords just don't exist (to my knowledge) in this format.
>Perhaps a one-time password to the "guest" account; then get in and hang
>around, post a message saying WHY you'd like an account, talk to some
>folks, play, and convince someone with root to make an account for you?
>You're right; it's inherently insecure, and supremely difficult to get
>around.
Well, frankly, do what the porn sites do. Understand that passwords will
be given away. Then, you watch for the same account being used
simultaneously from many IP addresses, and flag it as compromised.
> EXACTLY! There truly are; but, in order to do so, you have to both a.)
>REALLY know what you're doing - have you ever talked in depth about Unix
>to a script-kiddie? and b.) Put some time and effort into it. At that
>point, are you going to stick around for a while and play, or
>maliciously break stuff for the joy of breaking it? :) People that know
>how to MAKE the tools they need are rarely destructive.
Would I not be leaving the compiler behind after I got it installed properly?
I forgot before... make certain that the inside machines can't get back out the
the Internet. Otherwise, there is a BIG incentive to get into your playground.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
