rickert@mp.cs.niu.edu (Neil Rickert) (05/01/91)
Why are we worrying about somebody sneaking in through a tiny crack in the basement, when the front door is swinging wide open. I just had the following experience: I logged into a system (with rlogin). I was not asked for a password. The following are, I believe, the relevant facts: The system was a sun 4, running SunOS 4.1 /etc/hosts.equiv contains the infamous '+' line. The sun is not running yp. The sun is not running a nameserver. There is no /etc/resolv.conf The host from which I logged in is not listed in /etc/hosts or .rhosts The 'who' command showed the numeric internet address of the host from which I logged in, not its name. The host from which I logged in is not on the same network. Face it. That '+' in hosts.equiv is not safe now, never was safe, probably never will be safe. As long as vendors insist in this misfeature, TTY problems seem unimportant by comparison. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
stripes@eng.umd.edu (Joshua Osborne) (05/02/91)
In article <1991May1.140953.20081@mp.cs.niu.edu> rickert@mp.cs.niu.edu (Neil Rickert) writes: > > Why are we worrying about somebody sneaking in through a tiny crack in the >basement, when the front door is swinging wide open. [...] > Face it. That '+' in hosts.equiv is not safe now, never was safe, probably >never will be safe. As long as vendors insist in this misfeature, TTY >problems seem unimportant by comparison. Yes, but we aready fixed that, and I am sure many others have as well. We hadn't heard of the tty problems untill just recently (well, allright, I had, I read it a while ago on comp.unx.wizards, and played with it on a VAX, but I had assumed it was fixed by the time I became an admin.). Just because someone has a gun pointed to your head doesn't mean you can safely ignore the one that is pointed at your heart... -- stripes@eng.umd.edu "Security for Unix is like Josh_Osborne@Real_World,The Multitasking for MS-DOS" "The dyslexic porgramer" - Kevin Lockwood "CNN is the only nuclear capable news network..." - lbruck@eng.umd.edu (Lewis Bruck)
brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (05/02/91)
In article <1991May1.140953.20081@mp.cs.niu.edu> rickert@mp.cs.niu.edu (Neil Rickert) writes: > Why are we worrying about somebody sneaking in through a tiny crack in the > basement, when the front door is swinging wide open. [ ... ] > /etc/hosts.equiv contains the infamous '+' line. Sun makes lots of mistakes, and vendors who take ideas from Sun copy the mistakes. However, relatively few Suns are multiuser machines; the ``tiny crack in the basement'' is in *everyone's* basement, not just Sun's. ---Dan