#7 Authentication weaknesses

[Michel Arboi]

1. cheops-agent listens on all network interfaces; it
would probably better to restrict it to localhost, or
protect it with libwrap.
"-l" option is not really usable currently, as it
forces you to run
the Gtk GUI as root.

2. When cheops-agent is run without option, anybody can
connect and launch port scans, network discovery, etc.
Not great :-/
Keep in mind that nmap -O might crash some broken IP
stacks.

3. When run as "cheops-agent -p", authentication is
required, which is better. But login & password are
sent in clear text and can be sniffed.
Also, as there is no delay when the agent rejects the
login/password, this could be used to brute force
passwords -- especially the root password.