Re: Secure Finger Daemon
On Sat, Jan 05, 2002 at 07:09:01PM +0100, eim wrote:
> I'm planing to install a secure finger daemon
> on one of the public boxes I admin.
> Which Finger daemon is *really* secure ?
> Shouldn't I install this service at all ?
> Any experiences about compromised systems ?
http://www.fefe.de/ffingerd/
---- cut ----
1. Does not need to be run as root
2. Does not support indirect queries
3. Does not allow global queries ("finger @bighost")
4. Users can disallow finger queries by creating the file ~/.nofinger
5. Does not view sensitive information like the home directory or the shell.
6. Displays .plan, .project and .pubkey (for PGP/GnuPG/PEM public keys)
Please note that ffingerd does not try to limit the number of ffingerd
processes running at the same time. That is the job of inetd. If your
inetd lacks support for this, I recommend xinetd or tcpserver.
---- cut ----
I have been running ffingerd on some boxes where users requested a
finger daemon for about 3 years and did not have any successfully
penetration attemps since I installed it.
With best regards
Hans
--
Hans-Joachim Picht, Consultant <h.picht@lnxce.net>
Linux Consulting Europe http://www.lnxce.net
Vogelhecke 2 D - 35447 Reiskirchen Tel: +491751629201
Fax: +49640862649 Germany
Reply to: