X-ISP and Maintaining Multiple Account Records
As with any program that allows users to connect or disconnect the system to or from a network, security concerns must be addressed. The areas of most concern to me are the entering of account passwords at setup time (not dial-up time) and the transmission of authentication data.
X-ISP saves all account information in the .xisprc file in the user's home directory, including user name and passwords for the accounts. The rc file is readable only by the owner, so as long as there has not been a breach of the user's security, there should be no problem. As a secondary line of defense, X-ISP encrypts the password in the rc file using encrypt(3). The key used to encrypt the rc file is scrambled to remove any visibility in the binary. Since the encryption key resides in the source code, the possibility exists that someone could come up with the key and decode a user's rc files. Therefore, it would be best to change the encryption key in the source code before compiling X-ISP. The documentation outlines the procedure for changing the encryption key.
For PAP authentication, X-ISP calls pppd with the +ua option. PPPD version 2.3 no longer supports the +ua option, so if you are using that version of pppd, the PAP authentication mode will not be available. X-ISP creates a temporary file with login details in the user's home directory before calling pppd during a connect request, then removes the file as soon as the connection is established. This prevents any plaintext files with login details from sticking around. For PAP/CHAP-Secrets login, the appropriate files must be edited aside from X-ISP.
A potential liability may occur since X-ISP requires the user to be a member of the root group. Two remedies exist: either create a new group for X-ISP and add appropriate permissions to the program and data files, or use sudo. Creating a new group and adding users and files to it is probably the most straightforward way to tighten security on X-ISP. However, by allowing users access through sudo, the system administrator can allow the use of X-ISP without creating a new group or adding users to the root group and still maintain security integrity.
This should give you a good start with X-ISP, as well as a little insight into how it works. In the next release of X-ISP, a PTT editor will enable users to add entries to the TelCo database. The PTT information editor envisioned for X-ISP version 2.4 enables editing of all tariff rules for PTTs known to X-ISP, and also adding your own PTT information through a versatile GUI interface. The fields of the editor pop-up window shown in Figure 6 are the result of analyzing the PTTs currently known to X-ISP (version 2.3p7) plus a handful more which haven't yet made it into the distribution.
- The Tiny Internet Project, Part I
- Machine Learning with Python
- SUSECON 2016: Where Technology Reigns Supreme
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Free Today: September Issue of Linux Journal (Retail value: $5.99)
- Bitcoin on Amazon! Sort of...
- Android Browser Security--What You Haven't Been Told
- Securing the Programmer
- The Many Paths to a Solution
Pick up any e-commerce web or mobile app today, and you’ll be holding a mashup of interconnected applications and services from a variety of different providers. For instance, when you connect to Amazon’s e-commerce app, cookies, tags and pixels that are monitored by solutions like Exact Target, BazaarVoice, Bing, Shopzilla, Liveramp and Google Tag Manager track every action you take. You’re presented with special offers and coupons based on your viewing and buying patterns. If you find something you want for your birthday, a third party manages your wish list, which you can share through multiple social- media outlets or email to a friend. When you select something to buy, you find yourself presented with similar items as kind suggestions. And when you finally check out, you’re offered the ability to pay with promo codes, gifts cards, PayPal or a variety of credit cards.Get the Guide