Did UNIX/CNC password scheme change?

*jenili* · 02-02-1999, 03:10 PM

I used to access CNC with the password I gave when setting up my account, which was not my FQ login password. This was by design, since I didn't want to authenticate in clear text. It doesn't seem to work that way anymore.

Does this mean the two passwords have been synchronized and I have to either send my login password clear-text for CNC or forego CNC altogether? Or is there a way around this so I can use asynchronous passwords like I did before? Am I making sense with my explanation of this?

Many thanks, as always!
jeni

**Terra** · 02-02-1999, 03:22 PM

The CNC and Login are synchronized whenever an account is setup - or you email support@ to have your password changed...

If you want to change this behavior, then Telnet/SSH in and type 'passwd' at the prompt...

This will split the 2 (for the time being), as I will be rewriting the 'passwd' command to auto-sync all the passwords... Right now, it will fall out of sync and satisfy your needs...

--
Terra
sysAdmin
FutureQuest

Stephen · 09-22-1999, 02:13 PM

Thought I'd float this thread back to the top again.

I've just installed an SSH client on my local machine and am trying to come to grips with all the non-secure net connections that I haven't worried about in the past. Before I request changing my account password, I want to be sure I understand what benefit it will have.

My concern here is the one Jenili expressed above. If I have to share my account password with the CNC page, how can I do it securely? (I'm presuming that the current CNC password collection is sent in the clear)

If I e-mail support for a change of account password, can my CNC password be left as is (i.e. as an I-don't-care-if-someone-sniffs-this-one throw-away)?

(I'm also thinking about the problem as it pertains to grabbing e-mail with the account password. There may be a way to do it with SSH--although I have still to figure out the details...)

Thanks.

**Terra** · 09-22-1999, 06:02 PM

You can just type '$passwd' at the command prompt and it will change your login password to your account...

This will desync the CNC and Login password...

You can also set your SSH login to use something totally different via the RSA methods...

When you send in a password request, everything is synched to maintain congruency and also ensure that the site owner keeps his/her password private...  The CNC was written for the site owners sole use, and you have to decide if giving someone else CNC access is worth risking your password...  It's all a matter of trust...

Something else I'm looking into is using one of Apache's new features in using MD5 passwords for CNC access...  Only newer browsers fully support it, but the crackability of a sniffed password is extrememly difficult as it can only be Brute Forced (search the entire keyspace) or Dictionary attack (choose good passwords like 45Pa$$w0rd99 <-Upper/Lower w/numbers and/or symbols)

I've also investigated using an SSL server for CNC access, but this has proved to be *extremely* problematic and difficult to design for full production mode...  I am hoping with the next ratification of the SSL protocol will lift many of the barriers I'm now faced with making CNC/SSL next to impossible...

Bottom line, if you investigate your options you will see how you can setup your access in a custom manner that suits your needs...  It's just not something I can provide a tutorial or suggestions (other than what I have above)...  With a bit of creativity, you can mold your access just right...

--
Terra
--Security is inversely proportional to convenience--
FutureQuest