FL17@DLRVMBS.BITNET (12/13/90)
To: info-iris@brl.mil 11-Dec-1990 Remote printing with IRIX 3.3.1 Remote printing works nicely via the lp account with no password. However, anyone can log in as user "lp" with no password on our machines. Does anyone have a method to inhibit interactive logins as user "lp" while maintaining the remote printing feature ? Thanks in advance R. Beyer --------------------------------------------------------------------- Ralf Beyer | German Aerospace Research Establishment | Braunschweig Research Center | Institute for Flight Guidance | Flughafen | D-3300 Braunschweig, Fed. Rep. of Germany | Phone: (0531) 395-2530 | Email: fl17@dlrvmbs.bitnet | Email (local): beyer@bflsgu ---------------------------------------------------------------------
dhinds@elaine33.stanford.edu (David Hinds) (12/13/90)
In article <9012110417.aa06748@VGR.BRL.MIL> FL17@DLRVMBS.BITNET writes: > >Remote printing works nicely via the lp account with no password. >However, anyone can log in as user "lp" with no password on our machines. >Does anyone have a method to inhibit interactive logins as user "lp" >while maintaining the remote printing feature ? I had a similar problem, in setting up one of our Irises so that a Personal Iris could make backups remotely - 'bru' and 'mt' need to be able to access the remote system through a guest account for which a password isn't necessary. The answer seems to be to give the account an invalid password, but put an entry in the .rhosts file for that account specifying that selected outside users are equivalent and don't need to specify a password when using 'rsh', 'rlogin', etc. Our 'lp' account is set up this way, as well. So, on the server Iris, the line in /etc/passwd is: lp:*:9:9:0000-lp(0000):/usr/spool/lp: and the server's /usr/spool/lp/.rhosts file looks like: cb-iris2.stanford.edu lp where cb-iris2 is the Personal Iris. This seems to be reasonably safe. -David Hinds dhinds@cb-iris.stanford.edu
shenkin@cunixf.cc.columbia.edu (Peter S. Shenkin) (12/13/90)
In article <9012110417.aa06748@VGR.BRL.MIL> FL17@DLRVMBS.BITNET writes: > >Remote printing works nicely via the lp account with no password. >However, anyone can log in as user "lp" with no password on our machines. >Does anyone have a method to inhibit interactive logins as user "lp" >while maintaining the remote printing feature ? Wait a second -- there's something I don't understand. Ordinarily the lp account is set up without a default login shell. I guess I had assumed that this would inhibit interactive use of the machine by a person trying to login as "lp". On a regular user account, a login shell is specified. So could someone tell me what does happen if someone does try to login as lp? Or as uucp, for that matter... -P. ************************f*u*cn*rd*ths*u*cn*gt*a*gd*jb************************** Peter S. Shenkin, Department of Chemistry, Barnard College, New York, NY 10027 (212)854-1418 shenkin@cunixf.cc.columbia.edu(Internet) shenkin@cunixf(Bitnet) ***"In scenic New York... where the third world is only a subway ride away."***
blbates@AERO4.LARC.NASA.GOV ("Brent L. Bates AAD/TAB MS361 x42854") (12/13/90)
How about an apropriatly configured and placed .rhosts file under the lp account. That way only lp accounts on "trusted" machines can use the printer. -- Brent L. Bates NASA-Langley Research Center M.S. 361 Hampton, Virginia 23665-5225 (804) 864-2854 E-mail: blbates@aero4.larc.nasa.gov or blbates@aero8.larc.nasa.gov
dale@lamont.ldgo.columbia.edu (dale chayes) (12/14/90)
In article <1990Dec13.150715.25685@cunixf.cc.columbia.edu>, shenkin@cunixf.cc.columbia.edu (Peter S. Shenkin) writes: > In article <9012110417.aa06748@VGR.BRL.MIL> FL17@DLRVMBS.BITNET writes: > > > >Remote printing works nicely via the lp account with no password. > >However, anyone can log in as user "lp" with no password on our machines. > >Does anyone have a method to inhibit interactive logins as user "lp" > >while maintaining the remote printing feature ? > > Wait a second -- there's something I don't understand. Ordinarily the > lp account is set up without a default login shell. I guess I had assumed > that this would inhibit interactive use of the machine by a person trying > to login as "lp". On a regular user account, a login shell is specified. > So could someone tell me what does happen if someone does try to login as > lp? Or as uucp, for that matter... Well, I ASSUMED (makes an A.. out of U and ME), some what differently, that uucp and lp would have "special" login PROGRAMS, but on inspection of one of our 4D/20s running 3.3.1, I find that lp dosen't. The uucp account is "closed" with an asterix and the nuucp account does run /usr/lib/uucico on startup. To make the remote printing work, the users of this machine have removed the password for the lp account. As I recall, it was the only way they could get the remote printing to play. Egads.... My understanding of the final field in /etc/passwd was that if you don't specify something else, the user ends up with a Bourne shell, and that is exactly what happens. On further inspection, I find that you can log in and end up in what appears to be an unrestricted Bourne shell. There is no .login, nor .profile, nor .cshrc in the home directory of lp. I _suspect_ that most people who by "personal visualization" machines are not particularly network-aware and almost certainly not aflicted with a healthy dose of networked-system-manager's paranoia. They connect to networks for the benifits, but are not inclined to pay for support services/administration (if it is available) at least in part because of the nice visual admin tools that SGI provides. And, who can blame them? I would encourage SGI to put a little (a lot?) more effort into security issues before there is a public flap that gets them on the front page of the news rags (for reasons not related to their great graphics) independent of the _real_ reasons. Yuck, Dale -- Dale Chayes Lamont-Doherty Geological Observatory of Columbia University Route 9W, Palisades, N.Y. 10964 dale@lamont.ldgo.columbia.edu voice: (914) 359-2900 extension 434 fax: (914) 359-6817