Darren Reed writes:
>> 5. packet dump support in tcpdump(8)
>> ------------------------------------
>> 
>> PR 1205 adds hex/ascii packet dumping to tcpdump(8), and telnet option
>> parsing.
>> 
>> cgd commented that this has been brought up in the past and knocked down.

>I think it would be better to write a different program to do this, maybe
>even a "snoop" for NetBSD.  Reason is that tcpdump originates outside of
>NetBSD and changes to it are not likely to care for what we do.  If there
>was strong support of making tcpdump do it, there should be feedback to
>the group at LBL so that they get the same code (and aren't doing something
>like that themselves).

No they aren't or weren't.  I offered the patches to LBL before
submitting them as a PR.   LBL's stance was that it would make
password sniffing too easy.  I personally think that's lame,  but its
their choice.  As I recall cgd knocked it back because of LBL's
stance.

I'm not in favour of writing a new "snoop" or whatever, as I _like_
tcpdump.  

>btw, one of my main hacks to tcpdump is to add ascii packet dumps (it
>already supports hex dumps: tcpdump -x).

Yep, that what PR1205 does.  It implements a hex/ascii dump that will
warm the heart of any CP/M hackers out there :-) via -Xn where n lets
to tell it to include the packet header or just do the payload.

Oh and since 3,4 were my PR's too I'd better comment :-)
>> 3. su(1) ignores expired password or account
>> --------------------------------------------
>> 4. login(1) patch to force password change on initial login
>> -----------------------------------------------------------

>How do we communicate this requirement to people logging in via ftp ?
>(both for 3 & 4).  What about for ssh ?  rsh (i.e. starting xterms) ?

Good point. I think the long term solution is probably to use
something like PAM.  Failing that, we could fix ftpd as per login.

As for ssh and rsh - I don't use them. 

[I use X.509 certs (via SSL) to authenticate telnet,rsh and even ftp
they all use ssld_auth() to check access control.]

But in anycase, the fact that ssh/rsh is not covered does not mean
that login/su should not be fixed.

--sjg
-- 
Simon J. Gerraty        <sjg@quick.com.au>

#include <disclaimer>   /* imagine something _very_ witty here */