On 21 Nov 2002, Kirk Strauser wrote:
>
> At 2002-11-22T03:18:29Z, Jeff Jirsa <[EMAIL PROTECTED]> writes:
>
> > Finger is relatively safe. Most of the arguments for not allowing it
> > involve privacy rather than security (I don't really like people knowing
> > when I log in and out, if they need to bother me, there are better ways to
> > track me down).
>
> Well, privacy and security are almost directly related in this case. finger
> gives a nice route for would-be attackers to get a list of usernames from
> the system in that it's a pretty quick way to do a dictionary attack of
> names against a server.
Yes, but that can be disabled with the -s switch:
-s Enable secure mode. Queries without a user name are rejected and
forwarding of queries to other remote hosts is denied.
He also said there were used on the box, and asked what THEY might do ...
any user can always `cat /etc/passwd`, so `finger @host` doesn't add much
more risk than that.
- Jeff
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
