Re: Secure Finger Daemon

To: eim <eim@eimbox.org>
Cc: Debian-Security List <debian-security@lists.debian.org>
Subject: Re: Secure Finger Daemon
From: Hans-Joachim Picht <hans@picht.org>
Date: Wed, 9 Jan 2002 15:55:09 +0100
Message-id: <[🔎] 20020109145509.GA11215@lnxce.net>
In-reply-to: <[🔎] 1010254144.726.0.camel@eimbox>
References: <[🔎] 1010254144.726.0.camel@eimbox>

On Sat, Jan 05, 2002 at 07:09:01PM +0100, eim wrote:

> I'm planing to install a secure finger daemon
> on one of the public boxes I admin.

> Which Finger daemon is *really* secure ?
> Shouldn't I install this service at all ?
> Any experiences about compromised systems ?

http://www.fefe.de/ffingerd/ 

---- cut ----

   1. Does not need to be run as root
   2. Does not support indirect queries
   3. Does not allow global queries ("finger @bighost")
   4. Users can disallow finger queries by creating the file ~/.nofinger
   5. Does not view sensitive information like the home directory or the shell.
   6. Displays .plan, .project and .pubkey (for PGP/GnuPG/PEM public keys)

Please note that ffingerd does not try to limit the number of ffingerd
processes running at the same time. That is the job of inetd. If your
inetd lacks support for this, I recommend xinetd or tcpserver.

---- cut ----

I have been running ffingerd on some boxes where users requested a
finger daemon for about 3 years and did not have any successfully 
penetration attemps since I installed it.

With best regards

    Hans
-- 
Hans-Joachim Picht, Consultant	<h.picht@lnxce.net> 
Linux Consulting Europe	http://www.lnxce.net
Vogelhecke 2	D - 35447 Reiskirchen	Tel: +491751629201 
Fax: +49640862649	Germany

Reply to:

References:
- Secure Finger Daemon
  - From: eim <eim@eimbox.org>

Prev by Date: Re: RE: IPTABLES
Next by Date: Re: How can I change my domainname on my server
Previous by thread: RE: Secure Finger Daemon
Next by thread: libgtop-daemon: remote format string vulnerability
Index(es):
- Date
- Thread