On Mon, Apr 15, 2002 at 12:30:01PM +0100, Roger Burton West wrote:
Am I missing something here? It's true that this system prevents someone from discovering the password by intercepting email; however, the token which the email interceptor discovers is just as good as a password, in that it can be used to cause the execution of X-Commands.
That's true. I made this silly mistake, not thinking about the reusability of the cipher.
I suggest that a truly secure system would have authentication tokens which were only valid on a single occasion; perhaps the system should randomly change the X-Command password after each command, and email the new password to the maintainer address. (Ideally, of course, it wouldn't even do that; the maintainer would have a list of passwords which would be used in order, and have some secure means of getting more passwords.)
I think there is a less cumbersome solution: The maintainer password is encrypted together with a sequence number. On the list server the password will be decrypted together with the sequence number. If the stored sequence number is 1 smaller than the actual one the xcommand will be executed. Otherwise the maintainer will receive an email with the current sequence number. Someone intercepting the sequence number gains nothing. By this means the cipher cannot be reused. ssh is fine and I use it to access a list server but I like it more to use my doxcommand script on the command line to do some admin work. It's fast and easy - but insecure. Werner