finger for pugkey

John Clizbe
Mon Jul 7 19:24:04 2003

Hash: SHA1

CL Gilbert wrote:

> I noticed that finger has a way for you to include your public key.  So
> I am wondering what everyone thinks about the security of finger?  I am
> thinking of opening my home linux box so people can finger my account to
> get the info, and any other info I include.
> Their are no ports open on my firewall except ssh to my local Linux box.
> ~ And that is only open to certificates, so password cracking is not a
> possibility.
> Any ideas on the security of this?
finger's main problem is that it makes it easy for intruders to get a list
of users on your system, which can dramatically increase the intruder's
chances of breaking into your system. One would also scrub the files
finger prints of any personal information not wanted to be disclosed.

Finger's claim to infamy was one line of code exploited by Robert Morris
in 1988's Internet Worm episode. It was a buffer overflow that caused
fingerd to execute a shell.

If you are running finger of this vintage, you probably have many more
severe problems to worry about <G>.

- --
John P. Clizbe                   Inet:   JPClizbe AT attbi DOT com
Golden Bear Networks             PGP/GPG KeyID: 0x608D2A10
  "Most men take the straight and narrow. A few take the road less
traveled.  I chose to cut through the woods."
  "There is safety in Numbers... *VERY LARGE PRIME* Numbers
9:00PM Tonight on _REAL_IRONY_:  Vegetarian Man Eaten by Cannibals
Version: GnuPG v1.2.2-nr1 (Windows 2000)
Comment: Using GnuPG with Mozilla -