garrison@zodiac.rutgers.edu (04/18/91)
I've seen several posts refering to the security risks of telnet (in that if telnet is open, anyone can ftp over to your system and copy to their hearts content). Is it possible to, say, set the protection on certain applications and files so that they will be inaccessable to anyone logging into your system (or, better yet, invisible)? (But remain useable and visible to people actually using the Mac). This would enable us to just leave telNet open under multifinder. Thanks, Karl C. Garrison IN%"garrison@pisces.rutgers.edu" PS Sorry if this has been problem has already been address recently, but we just started having some problems related to this issue.
derosa@motcid.UUCP (John DeRosa) (04/22/91)
garrison@zodiac.rutgers.edu writes: >I've seen several posts refering to the security risks of telnet (in that if >telnet is open, anyone can ftp over to your system and copy to their hearts >content). Is it possible to, say, set the protection on certain applications >and files so that they will be inaccessable to anyone logging into your >system (or, better yet, invisible)? (But remain useable and visible to >people actually using the Mac). This would enable us to just leave telNet >open under multifinder. There are two distinct ways to prevent prying eyes. The first one will work while the second way is better (IMHO). 1) In your config.tel, add the line ftp=no. This will force the default startup condition of TelNet to disallow ftp. When you need ftp, pull down the file menu item and choose FTP Enable. Remember to turn it back off when you are done. This is the manual method. 2) In your config.tel, add the line passfile="ftppass". This tells TelNet to look in your system folder for a file called ftppass that contains passwords for ftp users. In this way, each person trying to ftp to you Macintosh must supply a userid and a password, i.e. they must log in. The ftppass file is created with the telpass application that you should have gotten with TelNet. Enjoy. -- = John DeRosa, Motorola, Inc, Cellular Infrastructure Group = = e-mail: ...uunet!motcid!derosaj, motcid!derosaj@uunet.uu.net = = Applelink: N1111 = =I do not hold by employer responsible for any information in this message =
sigurd@ii.uib.no (Sigurd Meldal) (04/23/91)
In article <6234@crystal.UUCP> derosa@motcid.UUCP (John DeRosa) writes: >garrison@zodiac.rutgers.edu writes: > >>I've seen several posts refering to the security risks of telnet (in that if >>telnet is open, anyone can ftp over to your system and copy to their hearts >>content). Is it possible to, say, set the protection on certain applications >>and files so that they will be inaccessable to anyone logging into your >>system (or, better yet, invisible)? (But remain useable and visible to >>people actually using the Mac). This would enable us to just leave telNet >>open under multifinder. > >There are two distinct ways to prevent prying eyes. The first one will work >while the second way is better (IMHO). ... >2) In your config.tel, add the line passfile="ftppass". This tells >TelNet to look in your system folder for a file called ftppass that >contains passwords for ftp users. In this way, each person trying >to ftp to you Macintosh must supply a userid and a password, i.e. >they must log in. The ftppass file is created with the telpass >application that you should have gotten with TelNet. I have only one quibble with this one. Since the ftppass file is in a fixed location, any user which has ftp access may upload a new ftppass file, changing the set of user/password pairs. A slight (and sufficient?) improvement is to use a different name and/or location for the password file, not the default, and better yet, embed mac-specific characters in that name, e.g. a greek letter. That makes it harder for a potential miscreant in two way - she may not know what the password file is named, and secondly, if she did then it is not always obvious how to upload a new file since ftp seems only to use the standard 7 bit ascii character set, translating the 8 bit mac characters in names into 7 bit ascii (presumably just dropping a bit). When you change the filename, remember to change it in the config.tel file as well :-). Sigurd -- Department of Informatics | Arpa:sigurd@ii.uib.no Hoyteknologisenteret | meldal@anna.stanford.edu N - 5020 Bergen | Uucp: ...decwrl!glacier!shasta!anna!meldal Norway |
psych@watserv1.waterloo.edu (R. Crispin - Psychology) (04/23/91)
In article <1991Apr23.072617.7975@eik.ii.uib.no> sigurd@ii.uib.no (Sigurd Meldal) writes: >In article <6234@crystal.UUCP> derosa@motcid.UUCP (John DeRosa) writes: >>garrison@zodiac.rutgers.edu writes: >> >>>I've seen several posts refering to the security risks of telnet (in that if >>>telnet is open, anyone can ftp over to your system and copy to their hearts >>>content). Is it possible to, say, set the protection on certain applications >>>and files so that they will be inaccessable to anyone logging into your >>>system (or, better yet, invisible)? (But remain useable and visible to >>>people actually using the Mac). This would enable us to just leave telNet >>>open under multifinder. >> >>There are two distinct ways to prevent prying eyes. The first one will work >>while the second way is better (IMHO). >... >>2) In your config.tel, add the line passfile="ftppass". This tells Stuff Deleted > >I have only one quibble with this one. Since the ftppass file is in a Stuff Deleted The problem with any method that relies on the values in the passfile is it eliminates people being able to do an Anonymous FTP to the machine. I would like to allow this but restrict the access to only a single volume or directory and its sub-directories. Richard Crispin Phone: (519)888-4781 Dept. of Psychology EMail: psych@watdcs.uwaterloo.ca University of Waterloo psych@watserv1.uwaterloo.ca Waterloo, Ont. Canada N2L 3G1