A friend of mine recently installed Gentoo Linux. It looks like a nice a distribution really. I was quite amazed by what the use of the framebuffer can do to the console, so I wanted to have the same. My previous experiments with it had always failed, usually leaving my monitor blank by exceeding its specifications. I learnt that it's simply a matter of recompiling the kernel with CONFIG_FB_VESA=y. After that, adding vga=792 (or some other mode provided by the kernel) to lilo.conf is all that is needed to give me a lavishly high-resoluted console with 128 columns and 48 lines. Sweet and very convenient when editing source-code.
Yesterday I also re-newed my expired account for one of the many CIP-pools of my university. That's really a nuisance: the account is disabled if you don't change your password every six weeks. Honestly, I don't have the time and the nerves to come up with a new password all the time (and especially, remember it afterwards). Just changing the password to its old value wont do...the system checks the last three used passwords and complains when you try to reuse one of them. So what I did was writing a little Perl-script that uses Expect.pm to login via ssh and issue four passwd cycles.
The whole security concept of my university is rather questionable. Lately, the university (after all, it bears the name "Aachen University of Technology" so they should know) disabled FTP access to the personal webspace and replaced it with WebDAV. They say FTP wouldn't be secure. Well, ok so far. The things that makes it all ludicrous is this: when you get a dialup-account assigned, you have a username and password. This combination is essentially used for every service (newsserver, POP3, WebDAV etc.). So each time I check my mails and log into the newsserver, my user/pass combo is sent in cleartext (no encryption at all, SMTP further is only done via SMTP-after-POP). So naturally, someone just has to sniff my credentials when I send an email and can then use it with WebDAV as well.
Of course, sharing the password with other systems, whilst very convenient in practise can also lead to these sorts of exposures.
However, I don't see much reason why they can't run pop3 / IMAP over SSL as well. It's not difficult to do and increases the security a lot.
-Dom
Re:WebDav
ethan on 2003-10-24T10:06:13
WebDav is generally a good thing, but it does need to be done over SSL or using Digest authentication to make it secure.
WebDAV is done via SSL. This in itself is ok. Not so ok is the lack of encryption for every other service.
As for why they haven't yet migrated to SSL for at least the mail-service is beyond me as well. It has been suggested to them often enough, but so far only a mumble that this is going to happen at some indefinite point in the future was returned.
The only good thing about it is that I don't have to change my fetchmail and exim config in the foreseeable future.:-) Re:WebDav
Dom2 on 2003-10-24T12:08:05
With stunnel it's almost trivial to wrap most pop3 / imap services if they don't support ssl natively.NNTP is harder, because it tends to be builtin to inn, but I'm sure that it could be done with some jiggery pokery, more stunnel and virtual IP addresses.
-Dom
