From owner-freebsd-bugs  Mon Sep 17 20: 4:52 2001
Delivered-To: freebsd-bugs@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP id 239B037B408
	for <freebsd-bugs@FreeBSD.ORG>; Mon, 17 Sep 2001 20:04:48 -0700 (PDT)
Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id VAA06870;
	Mon, 17 Sep 2001 21:04:46 -0600 (MDT)
	(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
	by nomad.yogotech.com (8.8.8/8.8.8) id VAA19349;
	Mon, 17 Sep 2001 21:04:44 -0600 (MDT)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15270.47563.532734.979385@nomad.yogotech.com>
Date: Mon, 17 Sep 2001 21:04:43 -0600
To: David Malone <dwmalone@maths.tcd.ie>
Cc: freebsd-bugs@FreeBSD.ORG
Subject: Re: misc/30590: /etc/hosts.equiv and ~/.rhosts interaction violates POLA?
In-Reply-To: <200109151440.f8FEe2w91340@freefall.freebsd.org>
References: <200109151440.f8FEe2w91340@freefall.freebsd.org>
X-Mailer: VM 6.95 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

> From: David Malone <dwmalone@maths.tcd.ie>
> To: Gavin Atkinson <ga105@york.ac.uk>
> Cc: freebsd-gnats-submit@FreeBSD.org
> Subject: Re: misc/30590: /etc/hosts.equiv and ~/.rhosts interaction violates POLA?
> Date: Sat, 15 Sep 2001 15:33:00 +0100
> 
>  On Sat, Sep 15, 2001 at 07:20:22AM -0700, Gavin Atkinson wrote:
>  > Therefore the sysadmin of a system cannot easily prevent rlogins from another system. This would seem to be a useful thing, for example if the remote system has been compromised.
>  > Also, if a user cares more for his account's security than the sysadmin, he can't disable rlogins.
>  
>  Surely you would be much better off using hosts.allow or ipfw to
>  prevent such connections? That way you would stop connections
>  using telnet and ssh too.

Surely not.  Having to modify your firewall everytime you had a host you
wanted to allow, or did not want to allow is massive overkill.

Especially if the list is long, because the firewall rules must be used
for *every* packet, and this could get pretty long.

The existing mechanism is simply not (yet) up to the task.  A firewall
is a good tool, but it doesn't make it the only good tool in your
belt. :)


Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message