Entry 23943 (Berkeley CSUA MOTD)

Berkeley CSUA MOTD:Entry 23943

WIKI \| FAQ \| Tech FAQ
`http://csua.com/feed/`

2025/05/24 [General] UID:1000 Activity:popular

5/24

2002/2/22 [Computer/SW/Security, Computer/SW/Unix] UID:23943 Activity:very high

2/21    My moronic boss asked me to write a batch file to auomate a telnet
        session and one requirement is it should not ask user for the
        password.  How do I kindly tell him that he is an idiot?
        \_ setup ssh with passwordless public key or host-based authentication,
           symlink telnet to ssh and let him believe that the users are using
           telnet ;p
           \_ The batch file will be placed in hundreds of Windows 98
              machine's at a client site; none of these machines have ssh.
              How do I tell him off?  I told him it can't be done and he
              insisted that it can be done.
              \_ Why are you still even working there? I can't imagine
                 working in a place with a boss that stupid and an OS
                 that crappy.
                 \_ This isn't 1998.
              \_ Include ssh along with the batch file. --dim
        \_ He's a moron, true, but you've done your duty by telling him so, now
           it is your job to make it work.  I suggest a telnetd that auto-auths
           anyone with no password.  Yes, this is frightfully stupid, etc, etc,
           but unless you want to polish your resume, swallow the bile and just
           do it.  Now is not a good time to get fired.  Make sure you have it
           documented that this is insecure and you told them so but were told
           to do it anyway.  You're then free from serious fallout.  C.Y.A.
        \_ I agree with the SSH suggestion. However, if you still need to
           use telnet, you can embed a known password into the batch script.
           You need to telnet to the same account, though. Or maybe have
           the user save the password somewhere, but not ask on every
           use.
        \_ Create a server on a random port that does what he wants and have
                your script telnet to that port.
        \_ write a telnet program that automates the password and ship
           it with your batch file.  And document it that it's insecure.
        \_ Upgrade windows. Realize that even windows has better tools
           than telnet for running remote batch jobs.
        \_ Whatever you do ignore the idiots here who give the 1990's dotcom
           answer of "oh just quit!".  Find a way to do the project and do it.
           Document the insecurity and the specs and forget about it.  Your job
           is more important than religion.
        \_ maybe he's talking about telnet -F option with Kerberos V5
           authentication being used.
        \_ acct with no passwd?

ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/05/24 [General] UID:1000 Activity:popular

5/24

You may also be interested in these entries...

2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil

8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...

2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil

8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...

2011/4/27-7/30 [Computer/SW/Security, Computer/SW/Unix] UID:54096 Activity:nil

4/28    Will wall be fixed?   - jsl
        \_ What's wall?
           \_ An anachronism from a bygone era, when computers were hard to
              comeby, the dorms didn't have net, there was no airbears, and
              when phones didn't come standard with twitter or sms.
           \_ A non useful implementation of twitter.
	...

2009/7/8-16 [Computer/SW/OS/Linux, Computer/SW/Unix] UID:53124 Activity:nil

7/7     what happened to our web presence? http://www.csua.berkeley.edu
        not working
    \_ That would be because we've yet to set them up afaik. Steven *does* have
    a job after all. The idea is that we want a separate computer mounting the
    web directories, so that if an exploit compromises the webserver, the shell
    server (soda) itself will be insulated from the attack.
	...

2009/6/29-7/3 [Computer/SW/Security] UID:53083 Activity:low 53%like:53089

6/28    Hello everyone,
Logins to soda are back open.  The new ssh key is
2048 4b:96:67:18:27:da:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Please allow public key authentication since it is more secure
than plain password. Also if you see this posting, it means
anybody could have posted the annoucement.  Because  the
	...

2009/6/29-7/3 [Computer/SW/Security] UID:53089 Activity:nil 53%like:53083

6/29    Please allow public key authentication since it is more
        secure than plain password.  If you see this posting, it
        means anybody could have posted the annoucement.  Because
        the official csua web site is still down., this makes it a
        little suspicious to the truly paranoid.
        p.s.  this web entry format is counter intuitive.  And how come
	...

2009/2/10-13 [Computer/SW/Security, Computer/SW/Unix] UID:52552 Activity:nil

2/10    I have an sh file that does a mount.. the mount does an
        authentication. I previosly stored the username and password
        from zenity prompts. However, I can't get a return on the password
        field. The following only works on the username:
        mount -t davfs "http://blahblah.com/BLahUser11" /mountdir << EOF
        ${username}
	...

2009/1/15-23 [Computer/SW/Languages/Java, Computer/SW/Security] UID:52394 Activity:nil

1/15    http://cwe.mitre.org/top25
        2009 CWE/SANS Top 25 Most Dangerous Programming Errors
        \_ "Avoid inconsistent messaging that might accidentally tip off
           an attacker about internal state, such as whether a username
           is valid or not."  Really?  Fuck you buddy.  I don't always
           remember what my goddamn username was on your stupid fucking
	...

2009/4/22-28 [Computer/SW/Security] UID:52894 Activity:nil

4/22    ok, here's a little networking puzzler. I haven't been able to access
        youtube for a couple weeks. Couldn't figure out why. Happened on all
        browsers. traceroute did weird stuff and then timed out. Finally I
        got so frustrated I setup firefox to ssh tunnel through soda.csua,
        which worked great. Then, I kill the ssh proc, quit FF, and now,
        I can access youtube just fine from any browser. wtf? any
	...

2009/1/5-8 [Computer/SW/Unix] UID:52313 Activity:kinda low

1/3     no hurry but do you know of:
        $ chsh
        Password:
        Enter the new value, or press return for the default
         Login Shell [/usr/local/bin/bash]: /bin/zsh
        failed: Insufficient access
	...