finger for pugkey

[John Clizbe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CL Gilbert wrote:

> I noticed that finger has a way for you to include your public key.  So
> I am wondering what everyone thinks about the security of finger?  I am
> thinking of opening my home linux box so people can finger my account to
> get the info, and any other info I include.
>
> Their are no ports open on my firewall except ssh to my local Linux box.
> ~ And that is only open to certificates, so password cracking is not a
> possibility.
>
> Any ideas on the security of this?
>
finger's main problem is that it makes it easy for intruders to get a list
of users on your system, which can dramatically increase the intruder's
chances of breaking into your system. One would also scrub the files
finger prints of any personal information not wanted to be disclosed.

Finger's claim to infamy was one line of code exploited by Robert Morris
in 1988's Internet Worm episode. It was a buffer overflow that caused
fingerd to execute a shell.

If you are running finger of this vintage, you probably have many more
severe problems to worry about <G>.

- --
John P. Clizbe                   Inet:   JPClizbe AT attbi DOT com
Golden Bear Networks             PGP/GPG KeyID: 0x608D2A10
  "Most men take the straight and narrow. A few take the road less
traveled.  I chose to cut through the woods."
  "There is safety in Numbers... *VERY LARGE PRIME* Numbers
9:00PM Tonight on _REAL_IRONY_:  Vegetarian Man Eaten by Cannibals
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr1 (Windows 2000)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/Ca0JHQSsSmCNKhARAo/ZAKCnM6lqs6tEsiFpozW+GemgFD+i/gCg+ntQ
01Cnj3O76BpH3hJqPPW4G+A=
=EJYj
-----END PGP SIGNATURE-----