Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password problem in Trumpet Winsock.

From: melson () SCNC HOLT K12 MI US (Paul Melson)
Date: Mon, 7 Apr 1997 09:53:07 -0400


It is possible to open trumpwsk.ini, take the encrypted string for the
$password= variable, and place it in the ppp-username= variable. This,
allows one to start up tcpman.exe,g oto File > PPP Options and get the
user's password.



        Unfortunately, your end users are always going to be
        the weakest link in your 'security chain' so to speak.
        There are lots of possibilities, but it is probably a
        good idea to authenticate your dial-up users and your
        shell users seperately, and discourage (if not prevent)
        their using the same password in each case.

        For those of you who are using Trumpet Winsock and
        Trumpet TCPManager to do dial-up, you can prevent
        the use of the $password variable by simply removing
        it from the [default vars] heading of the TRUMPWSK.INI
        file, and using a prompt in your LOGIN.CMD like this:

if ![load $password]
  if [password "Enter your login password"]
  end
end

        I haven't seen a recent release of Trumpet Winsock,
        so I don't know, but I think this might even be the
        standard post-install configuration.



Paul

--
                                                        _____________________
                                                        melson () holt k12 mi us
Previous By Date Next
Previous By Thread Next

Current thread: