On Thu, 01 Feb 2001 17:40:18 +1030, David Lloyd said:
>
> Hmmm
>
> > Sometimes you want the authentications encrypted to prevent outsiders from
> > getting the passwords, but the actual data itself is considered not
> > sensitive. Or your using public key exchange to authenticate, but the data
> > is not sensitive. Being able to turn off the encryption would be nice when
> > you have to move gigabytes across a LAN inside of the allowed backup time
> > window. What I've done when I needed to do this is to lower the encryption
> > strength to use blowfish instead of IDEA or 3DES. I've doubled throughput
> > by doing this.
>
> Why bother about passwords if you don't care about the data? Surely if
> the data isn't worth encrypting then you don't actually need to password
> protect it.
>
> You may as well use the r-utilities, or better still something like
> PAM's "no authentication" module...
>
Well, to replicate what I assume a lot of people here do (i.e., maintain web
servers/ftp servers) it is crucial that you limit who can upload to the
machine, but not who sees what is *on* the machine. So the fact that I'm
uploading a new index.html to my machine isn't sensitive at all, anyone who
goes to my box can see that. However, I obviously don't want just anyone to
be able to upload to my machine. To be honest, that is a *lot* more common
for me than having actual sensitive data. If I didn't know that it would be
taken advantage of by script kiddies and idiots, I would open up my whole
machine to the 'net, cuz I frankly have nothing on there that I care if
anyone else sees. It's just limiting who can *change* it that I care about.
D.A.Bishop
