This is G o o g l e's cache of http://www.lp.se/ftp/mailinglists/PWDCHG.1997-06.
G o o g l e's cache is the snapshot that we took of the page as we crawled the web.
The page may have changed since that time. Click here for the current page without highlighting.
Google is not affiliated with the authors of this page nor responsible for its content. |
These search terms have been highlighted: | levitte | programming |
|
|
Archive-Date: Thu, 12 Jun 1997 22:43:22 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 12 Jun 1997 15:43:13 -0500 (CDT)
From: HTTPD@WIND.WINONA.MSUS.EDU
Reply-To: PWDCHG@lp.se
Subject: Excellent.
To: PWDCHG@lp.se
Message-ID: <01IJZNWNT1JM0002M1@WIND.WINONA.MSUS.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Thank you, Richard. Quick work!
================================================================================
Archive-Date: Thu, 12 Jun 1997 22:45:44 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 12 Jun 1997 22:45:41 +0200
Message-ID: <9436-Thu12Jun199722:45:41+0200-levitte@lp.se>
From: Richard Levitte - VMS Whacker <levitte@lp.se>
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: Re: Excellent.
MIME-Version: 1.0
Content-Type: Text/Plain; Charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
From: HTTPD@WIND.WINONA.MSUS.EDU
Thank you, Richard. Quick work!
I aim to help... At least when I've got an interest in it :-).
--
R Levitte, Levitte Programming; Spannv. 38, I; S-161 43 Bromma; SWEDEN
Tel: +46-8-26 52 47; Cel: +46-10-222 64 05; No fax right now
PGP key fingerprint = A6 96 C0 34 3A 96 AA 6C B0 D5 9A DF D2 E9 9C 65
Check http://www.lp.se/~levitte for my public key. bastard@bofh.se
================================================================================
Archive-Date: Fri, 13 Jun 1997 00:01:14 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 12 Jun 1997 18:01:10 EDT
From: reed@forge.iron.net
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Message-ID: <009B5AE3.12A608C4.13@forge.iron.net>
Subject: Suggestions, my inputs
Here are my suggestions.
1) Have one program that takes input, probably from a form.
This input would be username, old password, and new password.
2) This program validates the user first, and only makes the
change if the user validates.
3) Although not required, for simplicity, have the program
be a CGI one, so it can interface directly with the server
and form.
4) As far as security, offhand I don't see any more of an issue
than telnetting in and changing it. If you get SSL going,
then that will be a plus, and shouldn't affect the program.
5) The program should be such that auditing/breakin is used.
I have a program (from Arne I believe) that changes the password.
I also should have a function, or most of it, that will validate
a password. I just haven't put them together, and I'm not all
that familiar with UAF calls, and hashing.
-------------
Brian D. Reed
reed@iron.net
================================================================================
Archive-Date: Fri, 13 Jun 1997 01:42:26 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 12 Jun 1997 18:42:19 -0500 (CDT)
From: HTTPD@WIND.WINONA.MSUS.EDU
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <01IJZTYUQ9YQ0002NL@WIND.WINONA.MSUS.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
reed@forge.iron.net said:
> Here are my suggestions.
> [snip good stuff]
> I have a program (from Arne I believe) that changes the password.
> I also should have a function, or most of it, that will validate
> a password. I just haven't put them together, and I'm not all
> that familiar with UAF calls, and hashing.
It's beyond me as well, but I have an excellent chunk of
relevant uaf validation written for us for our TACACS server
by Aaron Leonard, of TGV. (We paid for it,was later released as
freeware by TGV.) It's C code. Does anyone want to
use it as a base for our project?
================================================================================
Archive-Date: Fri, 13 Jun 1997 03:42:57 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Fri, 13 Jun 1997 03:42:54 +0200
Message-ID: <2845-Fri13Jun199703:42:54+0200-levitte@lp.se>
From: Richard Levitte - VMS Whacker <levitte@lp.se>
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
MIME-Version: 1.0
Content-Type: Text/Plain; Charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
From: HTTPD@WIND.WINONA.MSUS.EDU
It's beyond me as well, but I have an excellent chunk of
relevant uaf validation written for us for our TACACS server
by Aaron Leonard, of TGV. (We paid for it,was later released as
freeware by TGV.) It's C code. Does anyone want to
use it as a base for our project?
I'm ready to offer some space on my FTP server for code like that.
I must say I'm a little confused, because as said someone else, this
thing isn't that hard to do. It just takes a CGI program. The program
has to be installed with privs, and thus has to be very secure or we
could all have problems with our users, but that's pretty simple to
handle.
Now, the message that started this all talked about encryption and extra
programs, and a lot of people were interested in that. I've mailed to
him and invited him explicitelly to join this list, but he hasn't
responded to me, nor has he subscribed yet... His solution seems more
secure, and more complicated in a way. I for one would like to know more
about his scheme. On the other hand, SSL solves a lot in this area...
--
R Levitte, Levitte Programming; Spannv. 38, I; S-161 43 Bromma; SWEDEN
Tel: +46-8-26 52 47; Cel: +46-10-222 64 05; No fax right now
PGP key fingerprint = A6 96 C0 34 3A 96 AA 6C B0 D5 9A DF D2 E9 9C 65
Check http://www.lp.se/~levitte for my public key. bastard@bofh.se
================================================================================
Archive-Date: Fri, 13 Jun 1997 15:21:55 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Fri, 13 Jun 1997 08:21:47 -0500 (CDT)
From: HTTPD@WIND.WINONA.MSUS.EDU
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <01IK0MK78G0I0002SA@WIND.WINONA.MSUS.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
>I must say I'm a little confused, because as said someone else, this
>thing isn't that hard to do. It just takes a CGI program. The program
>has to be installed with privs, and thus has to be very secure or we
>could all have problems with our users, but that's pretty simple to
>handle.
Well, it is difficult enough to do _properly_ that even
Aaron had several goes at it over the years he was
writing TACACS validation. I'll put his code on our
anonymous ftp server:
ftp: vax2.winona.msus.edu
user: anonymous
look in the [.vms.tacacs] directory.
================================================================================
Archive-Date: Fri, 13 Jun 1997 16:02:33 +0200
Sender: <owner-PWDCHG@lp.se>
From: thomasgd@omc.bt.co.uk (Greg Thomas)
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
Date: Fri, 13 Jun 1997 14:02:16 GMT
Message-ID: <33a651e6.74310422@www.omc.bt.co.uk>
References: <01IK0MK78G0I0002SA@WIND.WINONA.MSUS.EDU>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
On Fri, 13 Jun 1997 08:21:47 -0500 (CDT), you wrote:
>I must say I'm a little confused, because as said someone else, this
>thing isn't that hard to do. It just takes a CGI program. The program
>has to be installed with privs,=20
Not necessarily. It's easy to validate a password without priv's - I
do so with a hack of the CEL_AUTHENTICATOR. Use=20
fopen() on a file along the lines of=20
0"<username> <password>"::DEVICE:[DIR]PUBLIC_FILE.DAT
So long as the user has DECnet access, you are OK. Of course, once
you've got the password, you can change it to the new one.
Greg
================================================================================
Archive-Date: Fri, 13 Jun 1997 16:13:38 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Fri, 13 Jun 1997 16:13:35 +0200
Message-ID: <9790-Fri13Jun199716:13:35+0200-levitte@lp.se>
From: Richard Levitte - VMS Whacker <levitte@lp.se>
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
MIME-Version: 1.0
Content-Type: Text/Plain; Charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
From: thomasgd@omc.bt.co.uk (Greg Thomas)
Not necessarily. It's easy to validate a password without priv's - I
do so with a hack of the CEL_AUTHENTICATOR.
Ahem, CEL_AUTHENTICATOR is usually installed with SYSPRV. It won't work
on rules that require $GETUAI otherwise...
Use fopen() on a file along the lines of
0"<username> <password>"::DEVICE:[DIR]PUBLIC_FILE.DAT
So long as the user has DECnet access, you are OK. Of course, once
you've got the password, you can change it to the new one.
I'm not quite following...
--
R Levitte, Levitte Programming; Spannv. 38, I; S-161 43 Bromma; SWEDEN
Tel: +46-8-26 52 47; Cel: +46-10-222 64 05; No fax right now
PGP key fingerprint = A6 96 C0 34 3A 96 AA 6C B0 D5 9A DF D2 E9 9C 65
Check http://www.lp.se/~levitte for my public key. bastard@bofh.se
================================================================================
Archive-Date: Fri, 13 Jun 1997 17:51:29 +0200
Sender: <owner-PWDCHG@lp.se>
From: thomasgd@omc.bt.co.uk (Greg Thomas)
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
Date: Fri, 13 Jun 1997 15:51:16 GMT
Message-ID: <33a85bd3.76851606@www.omc.bt.co.uk>
References: <9790-Fri13Jun199716:13:35+0200-levitte@lp.se>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
On Fri, 13 Jun 1997 16:13:35 +0200, you wrote:
> From: thomasgd@omc.bt.co.uk (Greg Thomas)
>
> Not necessarily. It's easy to validate a password without priv's - I
> do so with a hack of the CEL_AUTHENTICATOR.
>
>Ahem, CEL_AUTHENTICATOR is usually installed with SYSPRV. It won't work
>on rules that require $GETUAI otherwise...
I did say a 'hack' of the CEL_AUTHENTICATOR. I wasn;t allowed to
install it with SYSPRV (or couldn't be bothered with the hassle of
getting permission of it).
> Use fopen() on a file along the lines of=20
> 0"<username> <password>"::DEVICE:[DIR]PUBLIC_FILE.DAT
>
>I'm not quite following...
CEL_AUTHENTICATOR gets the username and password from the user via his
browser. The original verified it using $GETUAI, but I couldn't (see
above). Therefore I find out if the username/password combination is
correct by doing an fopen() on the above file, using the supplied
username and password. The file has public read access. If the fopen()
works, close the file, and signal correct password. If it failed,
signal wrong password.
Advantages:
No special priv's required
Raises and is affected by suspect/intruder alarms *unlike*
CEL_AUTHENTICATOR
Disadvantages:
Users must have DECnet access
It's slower. It'd be useless with many protected pages unless
CEL_AUTHENTICATOR used password caching.
Greg
================================================================================
Archive-Date: Fri, 13 Jun 1997 22:55:18 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Fri, 13 Jun 1997 14:59:44 -0500
From: David Bratton <SAPSADEB@UHSFIN.UHSA.UH.EDU>
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Message-ID: <970613145944.684@UHSFIN.UHSA.UH.EDU>
Subject: Re: Suggestions, my inputs
>CEL_AUTHENTICATOR gets the username and password from the user via his
>browser. The original verified it using $GETUAI, but I couldn't (see
>above). Therefore I find out if the username/password combination is
>correct by doing an fopen() on the above file, using the supplied
>username and password. The file has public read access. If the fopen()
>works, close the file, and signal correct password. If it failed,
>signal wrong password.
>
>Advantages:
>No special priv's required
>Raises and is affected by suspect/intruder alarms *unlike*
>CEL_AUTHENTICATOR
>
>Disadvantages:
>Users must have DECnet access
>It's slower. It'd be useless with many protected pages unless
>CEL_AUTHENTICATOR used password caching.
>
It will also increment the failed login attempt counter. CEL doesn't.
(At least in v1.9 it didn't)
______________________________________________________________________________
David Bratton
University of Houston System THE BILL OF RIGHTS
DBratton@uh.edu ...void where prohibited by law
================================================================================
Archive-Date: Mon, 16 Jun 1997 10:12:21 +0200
Sender: <owner-PWDCHG@lp.se>
From: thomasgd@omc.bt.co.uk (Greg Thomas)
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
Date: Mon, 16 Jun 1997 08:12:03 GMT
Message-ID: <33a5f52f.228978093@www.omc.bt.co.uk>
References: <970613145944.684@UHSFIN.UHSA.UH.EDU>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
On Fri, 13 Jun 1997 14:59:44 -0500, you wrote:
>>Advantages:
>>No special priv's required
>>Raises and is affected by suspect/intruder alarms *unlike*
>>CEL_AUTHENTICATOR
>>
>>Disadvantages:
>>Users must have DECnet access
>>It's slower. It'd be useless with many protected pages unless
>>CEL_AUTHENTICATOR used password caching.
>>
>
>It will also increment the failed login attempt counter. CEL doesn't.
>(At least in v1.9 it didn't)
Err, see my second advantage!
Greg
================================================================================
Archive-Date: Wed, 18 Jun 1997 20:24:31 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Wed, 18 Jun 1997 13:24:14 -0500 (CDT)
From: HTTPD@WIND.WINONA.MSUS.EDU
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <01IK7WQLXUEA00042Y@WIND.WINONA.MSUS.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Has anyone come up with a web-based vms password changer?
I have, but it is very simple and could be embellished.
Basically, it uses RSHELL to reach the user's VMS system
and invoke a password change procedure. I'm adding
a tiny bit of "almost adequate privacy" :) to the
code tomorrow. If it looks pretty good, I'll pass
it along if you would be so kind as to pretty it up.
Still interested in your code and ideas...
================================================================================
Archive-Date: Thu, 19 Jun 1997 01:44:06 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 19 Jun 1997 01:44:00 +0200
Message-ID: <8113-Thu19Jun199701:44:00+0200-levitte@lp.se>
From: Richard Levitte - VMS Whacker <levitte@lp.se>
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
MIME-Version: 1.0
Content-Type: Text/Plain; Charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
From: HTTPD@WIND.WINONA.MSUS.EDU
Basically, it uses RSHELL to reach the user's VMS system
and invoke a password change procedure. I'm adding
a tiny bit of "almost adequate privacy" :) to the
Does that mean encryption, so I don't have to shout my password in the
net? That's probably the biggest problem at hand, 'til I've finished the
SSH server.
--
R Levitte, Levitte Programming; Spannv. 38, I; S-161 43 Bromma; SWEDEN
Tel: +46-8-26 52 47; Cel: +46-10-222 64 05; No fax right now
PGP key fingerprint = A6 96 C0 34 3A 96 AA 6C B0 D5 9A DF D2 E9 9C 65
Check http://www.lp.se/~levitte for my public key. bastard@bofh.se
================================================================================
Archive-Date: Thu, 19 Jun 1997 15:04:43 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 19 Jun 1997 09:04:27 -0400 (EDT)
From: Gandalf the Grey <SYSBRC@cnsvax.albany.edu>
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <01IK91CBR1LU99FAY9@cnsvax.albany.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Admittedly I have not read the documents on secure forms and commerace
ready servers/browsers ... this issue is still a bit of a mystery to me.
Assuming that an encrypted password (rather than a clear text password)
is being transfered from client to server, what prevents someone from
(snooping the net and) decrypting the password? [Since password may be
being set for multiple platforms I had the impression that you where not
encrypting the password on the client and storing the (already) encripted
password directly in the various hosts authorization files (which would
require a client encryption of the password once for each end host where
the password was being updated or an account created).
Is there a version of PGP that is runnable by Java or some other client
based utility? Then all encryptions (for any given server) could be
performed fairly safely on the clients given only a single public key
that could be passed with or written into the applet.
[I know - a little stupid - I do really need to read up on the WEB security
RFCs]
From: R Levitte,
>Does that mean encryption, so I don't have to shout my password in the
>net? That's probably the biggest problem at hand, 'til I've finished the
>SSH server.
> From: HTTPD@WIND.WINONA.MSUS.EDU
>
> Basically, it uses RSHELL to reach the user's VMS system
> and invoke a password change procedure. I'm adding
> a tiny bit of "almost adequate privacy" :) to the
*===========================================================================*
| Brian R Cuttler | phone 518-442-3906 fax 518-442-3697 |
| VMS System Manager | email sysbrc@cnsvax.albany.edu |
| State Univ of NY at Albany | url http://www.albany.edu/~sysbrc |
*===========================================================================*
================================================================================
Archive-Date: Thu, 19 Jun 1997 15:13:52 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 19 Jun 1997 15:13:19 +0200
Message-ID: <6658-Thu19Jun199715:13:19+0200-levitte@lp.se>
From: Richard Levitte - VMS Whacker <levitte@lp.se>
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
MIME-Version: 1.0
Content-Type: Text/Plain; Charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
From: Gandalf the Grey <SYSBRC@cnsvax.albany.edu>
Assuming that an encrypted password (rather than a clear text password)
is being transfered from client to server, what prevents someone from
(snooping the net and) decrypting the password? [Since password may be
You do as systems like SSH and Kerberos do. You set up en encrypted
channel, using a randomly generated session key. There's no way someone
will crack such a channel in the short time it takes to pass a password
through it.
PGP is also a solution. Some friends of mine have given me accounts on
their machines, transfering the password with PGP... It does work.
The optimal thing is to really use SSH or Kerberos. I'm working on both
(it goes a little slowly, but forward).
--
R Levitte, Levitte Programming; Spannv. 38, I; S-161 43 Bromma; SWEDEN
Tel: +46-8-26 52 47; Cel: +46-10-222 64 05; No fax right now
PGP key fingerprint = A6 96 C0 34 3A 96 AA 6C B0 D5 9A DF D2 E9 9C 65
Check http://www.lp.se/~levitte for my public key. bastard@bofh.se
================================================================================
Archive-Date: Thu, 19 Jun 1997 17:13:50 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 19 Jun 1997 10:13:29 -0400 (EDT)
From: Robert Byer <byer@mail.all-net.net>
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <009B6021.E5C48300.168@mail.all-net.net>
Content-Transfer-Encoding: 7BIT
-----BEGIN PGP SIGNED MESSAGE-----
As I recall I believe that their is a piece of Java code called "LivePGP"
that allows one to to PGP encoding of various things using java.
I haven't messed with it, just remember seeing it mentioned in the pgp
news groups. I'll see if I have a copy around somewhere but I believe it
is available on the net.
My suggestions for transfering a secure password would be to use SSL or
the SSLeay compiled into OSU as one, you wouldn't need any an extra module
for the encryption of the password as it travles across the wide expanse of
the internet and two just about most WEB browsers support SSL in some for
or another.
+------------------------+--------------------------------------------+
| Robert Alan Byer | A-Com Computing, Inc. |
| Vice-President | 115 W. Washington Street, Suite 1165 |
| A-Com Computing, Inc. | Indianapolis, IN 46204 |
| Phone: (317)673-4204 | http://www.all-net.net/ |
+------------------------+-----+--------------------------------------+
| byer@mail.all-net.net | I don't want to take over the world, |
| http://www.all-net.net/~byer | just my own little part of it. |
+------------------------------+--------------------------------------+
| Send an E-mail request to obtain my PGP key. |
+---------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBM6kFv6VSqzlBVJbBAQGV8Qf+PPf2cc+algHbDxuoOUT3oD6NZ4BRMVCT
OFlrtV1eNXT6/r2XWjQfIeDH5Ps5yXJaVcNBH4S798vBccDdHNaW5z6axkwtm/Bx
7Oew+Q409kBxPU4diBoeJfGfDbDNCECQcfS9M/nxuLHoZXmIIvPp2fllH6XTfFJ8
34bO6FBzXtM+1NayXjpXGofgxeQSD5g465cOjVduRWGutJjczQ6n9B5RpcJnFFxV
BYvKJo8h6YVBjD4Ms6iAOntg+oBf9Gana+G/terDOFJ+G83RCUI9/ZCAaEX1NNAH
hRzqFDJNK3iNyWFAbgPU9eClm4SU77Lw2SRynU2YCcibmPMXGVWTOQ==
=Y/k3
-----END PGP SIGNATURE-----
================================================================================
Archive-Date: Thu, 19 Jun 1997 17:32:30 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 19 Jun 1997 11:18:21 -0400 (EDT)
From: Gandalf the Grey <SYSBRC@cnsvax.albany.edu>
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <01IK96IU5BF699FAY9@cnsvax.albany.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
>From: IN%"PWDCHG@lp.se" 19-JUN-1997 09:41:06.69
>To: IN%"PWDCHG@lp.se"
>CC:
>Subj: RE: Suggestions, my inputs
>
>Return-path: <owner-PWDCHG@lp.se>
>Received: from nic.lp.se by cnsvax.albany.edu (PMDF V5.1-8 #18385)
> with ESMTP id <01IK939OG9KG99FC6I@cnsvax.albany.edu> for SYSBRC; Thu,
> 19 Jun 1997 09:39:32 EDT
>Received: from devil.bofh.se (127.0.0.1) by nic.lp.se (MX E5.0) with SMTP; Thu,
> 19 Jun 1997 15:13:42 +0200
>X-URL: http://www.lp.se/~levitte/
>Date: Thu, 19 Jun 1997 15:13:19 +0200
>From: Richard Levitte - VMS Whacker <levitte@lp.se>
>Subject: Re: Suggestions, my inputs
>In-reply-to: <01IK91CBR1LU99FAY9@cnsvax.albany.edu>
> (message from Gandalf the Grey on Thu, 19 Jun 1997 09:04:27 -0400 (EDT))
>Sender: owner-PWDCHG@lp.se
>To: PWDCHG@lp.se
>Errors-to: owner-PWDCHG@lp.se
>Warnings-to: <>
>Reply-to: PWDCHG@lp.se
>Message-id: <"6658-Thu19Jun199715:13:19+0200-levitte"@lp.se>
>MIME-version: 1.0
>Content-type: Text/Plain; Charset=ISO-8859-1
>Content-transfer-encoding: 8bit
>Precedence: bulk
>X-PGP-Key-ID: Length=1024; ID=0xB2DEE2AD;
> Fprint="A6 96 C0 34 3A 96 AA 6C B0 D5 9A DF D2 E9 9C 65"
>X-PGP-Key-URL: <http://www.lp.se/~levitte/pubkey1.asc>
>X-Date-Of-Birth: Setting Orange,the 63rd day of The Aftermath in the YOLD 3130
>X-Waved: dead chicken, dms-sig 2.2 RL1 (enhanced), rl-head 1.01,
> feedmail 7-beta-11/RL-mods-2 (enhanced), vmsmail2 (enhanced)
>X-List-Subscribe: <mailto:PWDCHG-request@lp.se?body=subscribe>
>X-List-Unsubscribe: <mailto:PWDCHG-request@lp.se?body=unsubscribe>
>X-Listname: A list to discuss password changing features through OSU httpd
> <PWDCHG@lp.se>
>
> From: Gandalf the Grey <SYSBRC@cnsvax.albany.edu>
>
> Assuming that an encrypted password (rather than a clear text password)
> is being transfered from client to server, what prevents someone from
> (snooping the net and) decrypting the password? [Since password may be
>
>You do as systems like SSH and Kerberos do. You set up en encrypted
>channel, using a randomly generated session key. There's no way someone
>will crack such a channel in the short time it takes to pass a password
>through it.
>
>PGP is also a solution. Some friends of mine have given me accounts on
>their machines, transfering the password with PGP... It does work.
>
>The optimal thing is to really use SSH or Kerberos. I'm working on both
>(it goes a little slowly, but forward).
>
>--
>R Levitte, Levitte Programming; Spannv. 38, I; S-161 43 Bromma; SWEDEN
> Tel: +46-8-26 52 47; Cel: +46-10-222 64 05; No fax right now
> PGP key fingerprint = A6 96 C0 34 3A 96 AA 6C B0 D5 9A DF D2 E9 9C 65
> Check http://www.lp.se/~levitte for my public key. bastard@bofh.se
SSH sounds like a possible solution then - providing that passwords are
changed after they are (re)set (the thought being that if you have an
encripted password you can always crack it later - you don't need to crack
it now as you are not trying to steal or spy on a session).
Of course since passwords tend to travel unencripted over the internet
anyway it may not make all that much difference - depending on your
environment and required security level (the thing that gets me is
credit card numbers - they are usually good for many years, lots of
time for someone to crack an item with an encripted credit card number,
but beyond the scope of this forum and I do not mean to side track it).
*===========================================================================*
| Brian R Cuttler | phone 518-442-3906 fax 518-442-3697 |
| VMS System Manager | email sysbrc@cnsvax.albany.edu |
| State Univ of NY at Albany | url http://www.albany.edu/~sysbrc |
*===========================================================================*
================================================================================
Archive-Date: Thu, 19 Jun 1997 18:05:34 +0200
Sender: <owner-PWDCHG@lp.se>
From: J Harper <jharper@wsipc.wednet.edu>
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
Date: Thu, 19 Jun 1997 09:05:00 -0700
MIME-Version: 1.0
Content-Type: text/plain
> From: Robert Byer
> To: PWDCHG@lp.se
> Subject: Re: Suggestions, my inputs
> Date: Thursday, June 19, 1997 7:13AM
>
> As I recall I believe that their is a piece of Java code called
"LivePGP"
> that allows one to to PGP encoding of various things using java.
> I haven't messed with it, just remember seeing it mentioned in the pgp
> news groups. I'll see if I have a copy around somewhere but I believe
it
> is available on the net.
Sun has something called the Java Cryptography Extension under
"Downloads" on www.javasoft.com. I took a look at the API and it looks
like it may be useful and not too complicated. Been a while since I
programmed in Java. Seems like we would have to have Server side Java
to generate the public and private keys though, but this is supposed to
come for VMS soon.
> My suggestions for transfering a secure password would be to use SSL
or
> the SSLeay compiled into OSU as one, you wouldn't need any an extra
module
> for the encryption of the password as it travles across the wide
expanse of
> the internet and two just about most WEB browsers support SSL in some
for
> or another.
Good point. It would avoid the download of an applet, etc. But doesn't
using SSL require paying for a certificate, etc? We have 20+ web
servers and that may get expensive...
J Harper
Washington School Information Processing Coop.
jharper@wsipc.wednet.edu
================================================================================
Archive-Date: Thu, 19 Jun 1997 19:20:12 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 19 Jun 1997 12:19:07 -0500 (CDT)
From: HTTPD@WIND.WINONA.MSUS.EDU
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <01IK98TEQH3M0004EI@WIND.WINONA.MSUS.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
>Does that mean encryption, so I don't have to shout my password in the
>net? That's probably the biggest problem at hand, 'til I've finished the
>SSH server.
Yes. I've named it PLE, or Pretty Lousy Encryption.
Security through obscurity. I'm not happy with
it, but it will have to do.
================================================================================
Archive-Date: Thu, 19 Jun 1997 19:21:56 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 19 Jun 1997 12:21:37 -0500 (CDT)
From: HTTPD@WIND.WINONA.MSUS.EDU
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <01IK98UVBURC0004EI@WIND.WINONA.MSUS.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
>Assuming that an encrypted password (rather than a clear text password)
>is being transfered from client to server, what prevents someone from
>(snooping the net and) decrypting the password?
The only thing that prevents them, assuming they can tell
it is a username/password (and that's quite difficult) is the
strength of the encryption.
================================================================================
Archive-Date: Thu, 19 Jun 1997 20:04:11 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 19 Jun 1997 14:02:40 -0500 (EST)
From: "Jeffrey M. Hatala" <HATALA_J@sunybroome.edu>
Reply-To: PWDCHG@lp.se
Subject: Have I missed something?
To: PWDCHG@lp.se
Message-ID: <01IK9B7CZZXK8Y5532@sunybroome.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-Transfer-Encoding: 7BIT
Hello Everyone,
One of the first posts that made me excited was Jo's reply to
Brunetta's request. Alan followed with a "thumbs up" to the whole idea and
questioned further....(those are the three posts below)
.... Then a tun of posts back and forth and the interested parties ended
up here. The last thing I knew, Jo was headed to DevCon and nobody could make
to further discuss their procedures. The fact that Jo is on a .gov
account, and I have no problem with that, but I do feel there may be a
sensitivity/security issue here, in regards to what they can give out.
It seems to me that Jo's system is already passing pwds from Win95 to
NT, VMS, and unix while using a http interface. This sounds good to me!
Can we build onto this model instead of starting from scatch.
Am I missing some here... I need some more java, AHHHH I mean hot chocolate:)
Can we go back to Alan's post and have Jo answer his questions and maybe
catapult this project into a quick beta program?
Best regards to everyone,
Jeff
*********************************************************
>From: Brunetta@CC.Uniud.It[SMTP:Brunetta@CC.Uniud.It]
>Sent: Monday, June 09, 1997 1:04 AM
>
>I would like to set up a script to let my system's users to change their
>password from an html form. Much of them are not so expert in using computers
>to do a simple telnet connection and to use the "set password" command.
>
>Of course I'm very worried about security. So I wonder if some has already
>written something of very secure to manage this. Just to avoid reinventing
>the wheel.
>
>Thanks in advance for any help.
>
>
>From: "Jo, Clifford" <jo_cl@leg.wa.gov>
>
>We spent a lot of time working on a method that sets passwords via the
>HTTP server. We developed encrypting software on the PC that is
>integrated with the Win95 password system so that it syncs passwords
>with the Win95, the NT domain, the VAX (via HTTP Server), and our Unix
>database server. The decrypting algorithm was written in C on the VAX
>and Unix systems that interface with the password setting commands on
>those respective systems. We spent months testing the whole system and
>have thus implemented it full scale in our enterprise. Testing was
>definitely the most crucial and time consuming part of the project. We
>convinced our system manager and also our users that the system is about
>as secure as the way we had been doing it before. In the end, the users
>only have to change their password in one location.
<
<From: -- Alan
<Alan Winston --- WINSTON@SSRL.SLAC.STANFORD.EDU
<
<Is there any chance of this stuff being made available in the public domain?
<It sounds as though it could be enormously useful, and it's obviously a
<very big job to try to do ourselves.
<
<[The original poster just wanted to do VMS passwords, I think, but something
<that synchs Unix, Windows, and VMS passwords would be pretty durn useful.]
<
<Will it break with each new Windows release? Samba authentication apparently
<has problems with that.
<
Jeffrey M. Hatala, Broome Community College - Systems Analyst - C.R.
Upper Front Street | Binghamton, NY, USA 13905
Internet: HATALA_J@mail.sunybroome.edu | SUNYnet: sbccab::hatala_j
VOICE: 607-778-5011 | FAX: 607-778-5119
================================================================================
Archive-Date: Thu, 19 Jun 1997 20:25:14 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 19 Jun 1997 13:23:58 -0400 (EDT)
From: Robert Byer <byer@mail.all-net.net>
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <009B603C.823EA700.123@mail.all-net.net>
Content-Transfer-Encoding: 7BIT
-----BEGIN PGP SIGNED MESSAGE-----
>
>> My suggestions for transfering a secure password would be to use SSL
>or
>> the SSLeay compiled into OSU as one, you wouldn't need any an extra
>module
>> for the encryption of the password as it travles across the wide
>expanse of
>> the internet and two just about most WEB browsers support SSL in some
>for
>> or another.
>
>Good point. It would avoid the download of an applet, etc. But doesn't
>using SSL require paying for a certificate, etc? We have 20+ web
>servers and that may get expensive...
>
Not really. SSLeay has utilities for creating your own certificate, the
only draw back is that when you go to access a secure page with your
own signed certificate, Netscape will ask you about downloading the
certificate and if you trust it as it wasn't signed by Versign or one
of the others.
I do rember seeing a Java program to generate and sign your own SSL
certificates on the net and I think I still have a copy somewhere. It
worked pretty well.
If you can live with NOT having a Versign signed SSL certificate like
we do, SSLeay is the way to go as you can set up an SSL server without
having to pay one dime.
+------------------------+--------------------------------------------+
| Robert Alan Byer | A-Com Computing, Inc. |
| Vice-President | 115 W. Washington Street, Suite 1165 |
| A-Com Computing, Inc. | Indianapolis, IN 46204 |
| Phone: (317)673-4204 | http://www.all-net.net/ |
+------------------------+-----+--------------------------------------+
| byer@mail.all-net.net | I don't want to take over the world, |
| http://www.all-net.net/~byer | just my own little part of it. |
+------------------------------+--------------------------------------+
| Send an E-mail request to obtain my PGP key. |
+---------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBM6kyVaVSqzlBVJbBAQEx3QgA0nEyBLDByb1D8Lk4v24UWP3YF6VoCGHV
4JmQ8Yt2P4atVmOwlS6StLhNyVoCgbjG66T+U5CRbqB9roMQiHdn6/2nesY+NTk5
eN6tJTJL5/JR4Y2qcRxUc/yH6x7qxyDsSxAnNWwptIC2x/8CasXnP7TksVKhteOh
4iK6C3Vbtxv2a7WkhWJH8u6KK61fqdjaACJI6J3dHvNA8qxLAZBKJ4jjj0WgIQeE
RHbJwIIp15gTy3b9AntT2ZTXhqHleT43W/hf/vAYRsHzT+HZ5475V9krOdsOr/Wy
26+/dJRuMRxFBaXtuoIsVGXBOVkjP9rpNfmksKGLO0Oh7w+11u1C9A==
=tT0u
-----END PGP SIGNATURE-----
================================================================================
Archive-Date: Thu, 19 Jun 1997 22:21:57 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Thu, 19 Jun 1997 13:19:26 -0700
From: "Jo, Clifford" <jo_cl@leg.wa.gov>
Reply-To: PWDCHG@lp.se
Subject: RE: Have I missed something?
To: "'PWDCHG@lp.se'" <PWDCHG@lp.se>
Message-ID: <c=US%a=_%p=WA.GOV%l=LEGMAILA-970619201926Z-32687@legmail.leg.wa.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sorry to all that I haven't responded; I got back from DevCon and have
been spending a lot of time catching up. In order to protect the
security and integrity of the system, I can't reveal much let alone show
the code for the various aspects of the system. I can say that it isn't
rocket science but it will require some time to put together the various
components to create a cohesive authenticating system: we have concluded
that there is no quick fix or magic bullet for security-based systems.
We aren't entirely pleased with the system since it could be construed
to be a hodge-podge of a variety of tools but from the end user's point
of view it works.
The key is either finding or developing encryption and decryption
software. The encryption software resides on the PC and is integrated
into the Windows Password tool as a .DLL. The decryption software
resides on VMS/UNIX and can be called from the HTTP server. A key must
be compatible between the PC and the host systems. You should be able
to find/build encrypt/decrypt software from various works that are
published in the ACM. I have also seen such code in graduate college
text books. You should be able to find a few on the Web as well. In
any event, make sure that you have the source code and that the programs
absolutely rely on a user-specified key that isn't sent along with the
data down the pipe. The disclaimer is, of course, that nothing is
secure and that security is matter of mindset: to what extent is you and
your organization comfortable with?
>----------
>From: Jeffrey M. Hatala[SMTP:HATALA_J@sunybroome.edu]
>Sent: Thursday, June 19, 1997 12:02 PM
>To: PWDCHG@lp.se
>Subject: Have I missed something?
>
>Hello Everyone,
> One of the first posts that made me excited was Jo's reply to
>Brunetta's request. Alan followed with a "thumbs up" to the whole idea and
>questioned further....(those are the three posts below)
>.... Then a tun of posts back and forth and the interested parties ended
>up here. The last thing I knew, Jo was headed to DevCon and nobody could
>make
>to further discuss their procedures. The fact that Jo is on a .gov
>account, and I have no problem with that, but I do feel there may be a
>sensitivity/security issue here, in regards to what they can give out.
>
>It seems to me that Jo's system is already passing pwds from Win95 to
>NT, VMS, and unix while using a http interface. This sounds good to me!
>Can we build onto this model instead of starting from scatch.
>
>Am I missing some here... I need some more java, AHHHH I mean hot chocolate:)
>Can we go back to Alan's post and have Jo answer his questions and maybe
>catapult this project into a quick beta program?
>Best regards to everyone,
>Jeff
>
>*********************************************************
>>From: Brunetta@CC.Uniud.It[SMTP:Brunetta@CC.Uniud.It]
>>Sent: Monday, June 09, 1997 1:04 AM
>>
>>I would like to set up a script to let my system's users to change their
>>password from an html form. Much of them are not so expert in using
>>computers
>>to do a simple telnet connection and to use the "set password" command.
>>
>>Of course I'm very worried about security. So I wonder if some has already
>>written something of very secure to manage this. Just to avoid reinventing
>>the wheel.
>>
>>Thanks in advance for any help.
>>
>>
>>From: "Jo, Clifford" <jo_cl@leg.wa.gov>
>>
>>We spent a lot of time working on a method that sets passwords via the
>>HTTP server. We developed encrypting software on the PC that is
>>integrated with the Win95 password system so that it syncs passwords
>>with the Win95, the NT domain, the VAX (via HTTP Server), and our Unix
>>database server. The decrypting algorithm was written in C on the VAX
>>and Unix systems that interface with the password setting commands on
>>those respective systems. We spent months testing the whole system and
>>have thus implemented it full scale in our enterprise. Testing was
>>definitely the most crucial and time consuming part of the project. We
>>convinced our system manager and also our users that the system is about
>>as secure as the way we had been doing it before. In the end, the users
>>only have to change their password in one location.
><
><From: -- Alan
><Alan Winston --- WINSTON@SSRL.SLAC.STANFORD.EDU
><
><Is there any chance of this stuff being made available in the public domain?
><It sounds as though it could be enormously useful, and it's obviously a
><very big job to try to do ourselves.
><
><[The original poster just wanted to do VMS passwords, I think, but something
><that synchs Unix, Windows, and VMS passwords would be pretty durn useful.]
><
><Will it break with each new Windows release? Samba authentication
>apparently
><has problems with that.
><
>
>Jeffrey M. Hatala, Broome Community College - Systems Analyst - C.R.
> Upper Front Street | Binghamton, NY, USA 13905
>Internet: HATALA_J@mail.sunybroome.edu | SUNYnet: sbccab::hatala_j
>VOICE: 607-778-5011 | FAX: 607-778-5119
>
================================================================================
Archive-Date: Fri, 20 Jun 1997 08:36:20 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Fri, 20 Jun 1997 08:36:10 +0200
Message-ID: <97062008361022@bfkvax.fm.bs.dlr.de>
From: fk64@bfkvax.fm.bs.dlr.de
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
> >> My suggestions for transfering a secure password would be to use SSL
> >or
> >> the SSLeay compiled into OSU as one, you wouldn't need any an extra
> >module
> >> for the encryption of the password as it travles across the wide
> >expanse of
> >> the internet and two just about most WEB browsers support SSL in some
> >for
> >> or another.
> >
> >Good point. It would avoid the download of an applet, etc. But doesn't
> >using SSL require paying for a certificate, etc? We have 20+ web
> >servers and that may get expensive...
> >
>
> Not really. SSLeay has utilities for creating your own certificate, the
> only draw back is that when you go to access a secure page with your
> own signed certificate, Netscape will ask you about downloading the
> certificate and if you trust it as it wasn't signed by Versign or one
> of the others.
>
> I do rember seeing a Java program to generate and sign your own SSL
> certificates on the net and I think I still have a copy somewhere. It
> worked pretty well.
>
> If you can live with NOT having a Versign signed SSL certificate like
> we do, SSLeay is the way to go as you can set up an SSL server without
> having to pay one dime.
I could live very easily without a Versign signed certificate.
Do the OpenVMS version of the Mosaic browser and the text mode browser Lynx
support SSL?
---------------------------------------------------------------------------
Michael Zoellner
German Aerospace Research Establishment (DLR)
Institute of Flight Mechanics Tel. (+49) 531 / 295-2686
Postoffice Box 3267 Fax (+49) 531 / 295-2647
D-38022 Braunschweig eMail Michael.Zoellner@dlr.de
Germany
================================================================================
Archive-Date: Fri, 20 Jun 1997 23:49:40 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Fri, 20 Jun 1997 13:43:51 -0400 (EDT)
From: Gandalf the Grey <SYSBRC@cnsvax.albany.edu>
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <01IKAQ2F6G8I99FMG8@cnsvax.albany.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
>From: IN%"PWDCHG@lp.se" 19-JUN-1997 12:23:28.73
>To: IN%"PWDCHG@lp.se"
>CC:
>Subj: RE: Suggestions, my inputs
>
>Return-path: <owner-PWDCHG@lp.se>
>Received: from nic.lp.se by cnsvax.albany.edu (PMDF V5.1-6 #18385)
> with ESMTP id <01IK98XV0KGQ94ESQ6@cnsvax.albany.edu> for SYSBRC; Thu,
> 19 Jun 1997 12:21:53 EDT
>Received: from dilbert.wsipc.wednet.edu (192.206.201.36) by nic.lp.se (MX E5.0)
> with ESMTP; Thu, 19 Jun 1997 18:05:32 +0200
>Received: by dilbert.wsipc.wednet.edu with Internet Mail Service (5.0.1457.3)
> id <M7K7JRMV>; Thu, 19 Jun 1997 09:05:44 -0700
>Date: Thu, 19 Jun 1997 09:05:00 -0700
>From: J Harper <jharper@wsipc.wednet.edu>
>Subject: Re: Suggestions, my inputs
>Sender: owner-PWDCHG@lp.se
>To: PWDCHG@lp.se
>Errors-to: owner-PWDCHG@lp.se
>Warnings-to: <>
>Reply-to: PWDCHG@lp.se
>Message-id: <01IK98XZ21QA94ESQ6@cnsvax.albany.edu>
>MIME-version: 1.0
>X-Mailer: Internet Mail Service (5.0.1457.3)
>Content-type: text/plain
>Precedence: bulk
>X-Priority: 3
>X-List-Subscribe: <mailto:PWDCHG-request@lp.se?body=subscribe>
>X-List-Unsubscribe: <mailto:PWDCHG-request@lp.se?body=unsubscribe>
>X-Listname: A list to discuss password changing features through OSU httpd
> <PWDCHG@lp.se>
>
>> From: Robert Byer
>> To: PWDCHG@lp.se
>> Subject: Re: Suggestions, my inputs
>> Date: Thursday, June 19, 1997 7:13AM
>>
>> As I recall I believe that their is a piece of Java code called
>"LivePGP"
>> that allows one to to PGP encoding of various things using java.
>> I haven't messed with it, just remember seeing it mentioned in the pgp
>> news groups. I'll see if I have a copy around somewhere but I believe
>it
>> is available on the net.
>
>Sun has something called the Java Cryptography Extension under
>"Downloads" on www.javasoft.com. I took a look at the API and it looks
>like it may be useful and not too complicated. Been a while since I
>programmed in Java. Seems like we would have to have Server side Java
>to generate the public and private keys though, but this is supposed to
>come for VMS soon.
>
>> My suggestions for transfering a secure password would be to use SSL
>or
>> the SSLeay compiled into OSU as one, you wouldn't need any an extra
>module
>> for the encryption of the password as it travles across the wide
>expanse of
>> the internet and two just about most WEB browsers support SSL in some
>for
>> or another.
>
>Good point. It would avoid the download of an applet, etc. But doesn't
>using SSL require paying for a certificate, etc? We have 20+ web
>servers and that may get expensive...
>
> J Harper
> Washington School Information Processing Coop.
> jharper@wsipc.wednet.edu
FYI: PGP runs under VMS now, and I don't really think there would be a
need to generate "new" keys. One pair should be enough as you can
use the same public key for all password requests.
*===========================================================================*
| Brian R Cuttler | phone 518-442-3906 fax 518-442-3697 |
| VMS System Manager | email sysbrc@cnsvax.albany.edu |
| State Univ of NY at Albany | url http://www.albany.edu/~sysbrc |
*===========================================================================*
================================================================================
Archive-Date: Sat, 21 Jun 1997 02:24:23 +0200
Sender: <owner-PWDCHG@lp.se>
Date: Fri, 20 Jun 1997 13:25:14 -0400 (EDT)
From: Robert Byer <byer@mail.all-net.net>
Reply-To: PWDCHG@lp.se
Subject: Re: Suggestions, my inputs
To: PWDCHG@lp.se
Message-ID: <009B6105.D985B160.118@mail.all-net.net>
Content-Transfer-Encoding: 7BIT
-----BEGIN PGP SIGNED MESSAGE-----
>>
>> Not really. SSLeay has utilities for creating your own certificate, the
>> only draw back is that when you go to access a secure page with your
>> own signed certificate, Netscape will ask you about downloading the
>> certificate and if you trust it as it wasn't signed by Versign or one
>> of the others.
>>
>> I do rember seeing a Java program to generate and sign your own SSL
>> certificates on the net and I think I still have a copy somewhere. It
>> worked pretty well.
>>
>> If you can live with NOT having a Versign signed SSL certificate like
>> we do, SSLeay is the way to go as you can set up an SSL server without
>> having to pay one dime.
>
>I could live very easily without a Versign signed certificate.
>
>Do the OpenVMS version of the Mosaic browser and the text mode browser Lynx
>support SSL?
>
I don't know about Mosaic, but I do know that their is a patch to use
SSLeay with Lynx, but I haven't messed with it.
+------------------------+--------------------------------------------+
| Robert Alan Byer | A-Com Computing, Inc. |
| Vice-President | 115 W. Washington Street, Suite 1165 |
| A-Com Computing, Inc. | Indianapolis, IN 46204 |
| Phone: (317)673-4204 | http://www.all-net.net/ |
+------------------------+-----+--------------------------------------+
| byer@mail.all-net.net | I don't want to take over the world, |
| http://www.all-net.net/~byer | just my own little part of it. |
+------------------------------+--------------------------------------+
| Send an E-mail request to obtain my PGP key. |
+---------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBM6qELaVSqzlBVJbBAQHn3Af/cm2LHVoaLFAVJBhQl0RYubTKfij5F1Cy
5/SOWPU5gjLhNxlKenRdOkjTRhUhTnvEEMq7Fcx5eIEe6BxATLMObwjHtABbI7iU
oC0Qa7TKPfGcBCT3mRV25BYFraqhiHBO//KjEyLRFdh6Lg6Mrghi/u02NXwbJwn/
W3beLOJs6G6zDQIl5cWyJqMGU3qHdpt3VIyrbsQ4kTugSzZbZTi/1elZrjepde3q
Bt4pvmd60CQTGnWYX7zMvvKouoUT8mOwRStLWKCX1p5Xi14cwseJsf3J2VnDRBL9
SzjWxP5cxA3HU+Hi5P5FhVhX0+sigxeEWZ0sdFhOyZpz4NJt0pHsXw==
=PyCj
-----END PGP SIGNATURE-----