[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Hiding all copies of your PPP password



Evgeny is right, as usual.  :-)

However, hiding PPP passwords reduces (or eliminates) the following
risks:

1. If someone broke into your system, he'll at least have to wait until
you log into the Internet (activate the hacked pppd) before hijacking
your PPP password.  This assumes that the final PPP hiding wrapper
script knows to wipe out temporary files, not merely unlink them.
If you use TripWire (or something similar) to verify your system's integrity
before you connect to the Internet, then the risk from this direction is
eliminated.

2. When installing PPP on a newbie's computer, he'll not have to reveal
his PPP password to whomever is helping him to set up his system.
In other words, the PPP password won't go into any files which have
to be manually edited in order to configure the PPP connection.
                                                                           --- Omer
WARNING:  by sending me unsolicited commercial/religious/political/M@ilPush
E-mail (known also as "spam") you irrevocably agree to pay me US$500.-
(plus any legal fees incurred by my trying to collect the above amount) per
unsolicited commercial/religious/political/M@ilPush E-mail message sent
to me - for the service of receiving it.



-----Original Message-----
From:	Evgeny Stambulchik [SMTP:fnevgeny@plasma-gate.weizmann.ac.il]
Sent:	Tue December 08 1998 19:12
To:	omerz@actcom.co.il
Cc:	linux-il@linux.org.il
Subject:	Re: Hiding all copies of your PPP password

Omer Zak <omerz@actcom.co.il> wrote:

>  Well, the situation is that if you want to set up a PPP connection to
>  your ISP, you must create /etc/ppp/pap-secrets and/or /etc/ppp/chap-secrets.
>  Also, if you use chat (rather than dip) to help pppd get started, then you
>  must
>  write a chat script.
>  
>  The problem is that those files contain your password in clear text form.
>  So if someone succeeds in breaking into your Linux system and gaining root
>  privileges, then also your ISP account is open for him.

I someone breaks in your system as root, there is nothing you can prevent him
from. For example, he can modify pppd to email the password in the clear text to