Re: Did I give up on telnet too easily?

From: Marcus Lauer (reply_at_via.newsgroup)
Date: 10/11/03

Date: Sat, 11 Oct 2003 17:00:13 GMT

Peter T. Breuer wrote:

> In comp.os.linux.networking Marcus Lauer <reply@via.newsgroup> wrote:
>> Yes, but they're changed over a plain-text connection, which
>> means that any
> No they are not. Do not put words in other peoples mouths. If you
> cannot imagine how to do it without showing it in plaintext, I'll be
> happen to make up for your neural gap next post.
>> sniffer will see you type in each new password. And the attacker can
>> login
>> in a flash as well, can't they? Also, how do you plan to get work done
> No they can't. Again, I'll be happy to tell you how not if you can't
> imaine.
>> when you're repeatedly typing in three passwords (you original one, the
>> new one, and the new one again)?
>> You didn't think this plan through very well, did you?
> No, it's YOU who can't think in this instance. Quit being annoying. AC
> may be an idiot on many things, and quite possibly on this too, but
> there's no need to act like an even bigger half-wit in reply.
> Peter

        Okay, hold on. If you're saying that some process, be it a daemon or just
some program called as part of the login process, changes a user's password
after they login, then fine. Yes, I can see how that works. What I don't
understand is how that would create a useable system. Are we talking about
having one-time passwords, e.g. where the user needs a new password every
time they login?

        I guess my problem is that I don't see that as being very useable. I also
argued against telnet being a good replacement for ssh while acknowledging
that in some very restricted environments, telnet might be okay. It sounds
like this is the same sort of thing. Yes it can be done. It would also be
a pain in the ass to use, could be done with ssh just as easily, and still
assumes some things, e.g. that the user doesn't mistype one letter in an
obvious password and a quick attacker doesn't take advantage of the

        Now that I think about it, I admit that my reply wasn't very bright. But
next time, if you must reply to a dumb post, reply with facts, not insults.
As far as I know, you may have no idea what you're talking about either!
If you do know what you're talking about, God forbid that you should
actually educate me, AC, and the rest of the newsgroup rather than just
throwing around insults. I'm hardly a half-wit, guy. In fact, if what I
wrote in the last two paragraphs is correct, then I'm the only one here
who's actually demonstrated any understanding at all of how automatic
password changing could be implemented and what some of the costs and
benefits would be.

-- Marcus --