FTP "securing"
Mark Komarinski
mkomarinski at wayga.org
Thu Oct 9 10:17:27 EDT 2003
On Thu, Oct 09, 2003 at 11:07:30AM -0400, Kenneth E. Lussier wrote:
>
> There is more to this problem then I stated originally, but I will come
> clean now. The patches are only available to customers who are on
> support contracts. The problem that we ran into was that using anonymous
> FTP allowed some of the smarter users to bookmark the location, then
> download patches after they went off maintenence. This remains somewhat
> of a problem, because some of the smarter users have copied down the
> username and password as well. I have no problem changing the passwords
> weekly, but there is signifigant push-back from the other offices
> because it is "too inconvenient". So, I would like a way to lock it down
> so that people don't know the username and password for when they go off
> maintenence. I have suggested putting the patches on the web server, but
> then we get into authentication issues (users are authenticated against
> a database that is located in England), as well as other company issues.
>
A few ideas:
1) Cache the authentication locally. Have the username and password
randomly generate once/week. If a user enters their contract/ID correctly
on the web site, they're given that week's password to access the site.
Since it's automated, that should cut down on the push-back.
By having the authentication local, you reduce network problems and
at worst, a customer has an extra week or so before they're cut off.
2) Generate per-contract accounts that expire at the termination of
their contract. Part of renewing the contract is to extend the expiration
date.
-Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20031009/349c4bd0/attachment.bin
More information about the gnhlug-discuss
mailing list