home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 2
/
HACKER2.BIN
/
1080.PASSWORD.DOC
< prev
next >
Wrap
Text File
|
1988-08-06
|
3KB
|
84 lines
Sysop passwords for the MailBox.
Designed by Geert Jan de Groot, PE1HZG, Eindhoven, Holland
Remote sysop is a nice way to split the work involveld with managing a
BBS among several people. However, in the past, some crooks used the
calls of some (remote) sysops and erased all files...
I added a netrom-like verification procedure to check if a remote
sysop is really who he says he is.
The procedure is as follows:
Each 'trusted person' has his own personal key, which consists of
an array of 10 by 10 random letters and numbers, like this:
Key for: PE1HZG
01234 56789
0 tBixT 03ytR
10 9yD6s HfC0c
20 ze28q 70nL4
30 7OczX 1fEdW
40 6R8BU cao07
50 OWJ1m lTo2q
60 XLHGl NCDdF
70 2wXUO rjwDL
80 uh7P4 fsYiO
90 mQPjY zXxAM
On the @ command, the BBS gives 3 lines of 8 numbers, like this:
2354 - L#4912 - PI8ZAA-BBS > @ (user gives sysop command)
2 55 26 46 24 52 79 77 (BBS verification )
41 23 94 23 86 56 54 23
75 69 3 97 77 49 64 38
il0aqJLw (user response to 1st line)
N#182 - L#4912 - PI8ZAA-BBS > (succes - sysop prompt)
A remote sysop translates ONE (just random, first, second or third) line
into the matching characters using his personal key. Which line matches,
does not matter.
If the sent response-string matches, the user is who he says he is and goes
to remote sysop status. If not, nothing happens.
Bad guys who monitor the BBS, see an answer to 3 possible questions, and
don't know what line matches the response string, so they can't re-build
the key matrix owned by the remote sysop. This, of course, only works
if remote sysops randomly pick the first, second or third line to translate.
(However, using statistics, people can deduce the original key if they
have enough data. Crypt wizards say it may take 100 sessions before
such an attempt may be succesful. If you go sysop 1 time a day
at most, and change keys every 2 months, they should not be able to
get sysop status.. time will tell!)
In the BBS, there is a file called KEYS.MB which has records of this
format:
PE1HZG
tBixT03ytR9yD6sHfC0cze28q70nL47OczX1fEdW6R8BUcao07 (continue at next line)
OWJ1mlTo2qXLHGlNCDdF2wXUOrjwDLuh7P4fsYiOmQPjYzXxAM
Each remote sysop has his own entry in the keys.mb file, and should have
different keys. At PI8ZAA, the actual keys are generated by machine,
a small basic program will do the trick.
Of course, NOBODY should EVER consider downloading the KEYS.MB on air!
If a person with a unknown call tries to get sysop status, simply
NO response-string matches. I did this because it was easier and
maybe it keeps the bad guys puzzled..
Note that the port definition in CONFIG.MB must have the "R" privilege
set for remote sysop to be allowed at all, and must have the "P"
privilege set to require passwords.