?

Log in

No account? Create an account
end-of-spam reached - Alierak
January 19th, 2006
02:19 pm

[Link]

Previous Entry Share Next Entry
end-of-spam reached
Ok, everyone can now feel free to continue signing up rmg@mit.edu for all those spam lists. The account no longer exists. The password for the nonexistent account, should you require it, is "a3nadotdie", a brief commentary on the account's status as cruft and a slight play on the hostname below.

% ssh athena.dialup.mit.edu
Received disconnect from 18.7.16.68: 15: You are not allowed to log in here: Unknown username

Does that strike anyone else as a bit of a security hole? I mean, giving away the validity of a username?

See also earthdragon's post.

Current Mood: amusedamused
Tags:

(8 comments | Leave a comment)

Comments
 
[User Picture]
From:nakor
Date:January 19th, 2006 07:26 pm (UTC)
(Link)
For the case of Athena, no. You can already tell whether a username exists by trying to send it mail: non-existent usernames properly bounce. The secret part is your password.
[User Picture]
From:alierak
Date:January 19th, 2006 07:54 pm (UTC)
(Link)
Well, ok, but things that can receive mail aren't necessarily shell accounts. I suppose there's also "ls /afs/athena.mit.edu/user/..." from pretty much any afs-capable machine.
[User Picture]
From:crs
Date:January 19th, 2006 08:24 pm (UTC)
(Link)
You should be warned that, um, posting the password actually does still allow people to do stuff with your kerberos principal.
[User Picture]
From:coderlemming
Date:January 19th, 2006 08:32 pm (UTC)
(Link)
Don't worry, I changed the password for him.
[User Picture]
From:ecwoodburn
Date:January 19th, 2006 09:30 pm (UTC)
(Link)
*snicker*
[User Picture]
From:alierak
Date:January 23rd, 2006 04:47 am (UTC)
(Link)
Apparently not, since yakshaver just did for real.
[User Picture]
From:coderlemming
Date:January 23rd, 2006 05:38 am (UTC)
(Link)
Hah, well, it was kind of a joke ;)
[User Picture]
From:alierak
Date:January 19th, 2006 11:37 pm (UTC)
(Link)
Wow, that's incredibly lame. I will point out, of course, that it's not "my" kerberos principal since I no longer have an account, so if there's any such junk left over it's MIT's, and they should be warned...
Powered by LiveJournal.com