eric%cit-vax@sri-unix.UUCP (06/29/83)
Re: the idea of using smtp to find out valid usernames: many sites have finger servers running, and many others have password-less logins like "who" and "finger". Our system records login attempts from the arpanet and several times I have seen a successful "who" login followed by an unsuccessful login attempt for each of the users already logged in! Thus, to prevent a bad guy from easily getting usernames, out go finger servers and "informational" login names. What we have instead is a setup whereby a file giving the sites that each user can log in from is checked by login and by ftp. Since most users do not access the machine from other sites, most users are not allowed to at all. Also, login and ftp refuse to allow a login from the net if the password is less than 6 characters EVEN IF IT IS CORRECT. In retrospect, I am glad I put all this stuff in, because there are several spurious attempts every day (particularly, I might add, from somewhere on the ucb-ether network). - Eric Holstege (eric@cit-vax) (...ucbvax!cithep!citcsv!eric)