From owner-freebsd-bugs  Tue Nov 10 23:00:10 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA10757
          for freebsd-bugs-outgoing; Tue, 10 Nov 1998 23:00:10 -0800 (PST)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA10697
          for <freebsd-bugs@FreeBSD.org>; Tue, 10 Nov 1998 23:00:00 -0800 (PST)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id XAA24502;
	Tue, 10 Nov 1998 23:00:02 -0800 (PST)
Date: Tue, 10 Nov 1998 23:00:02 -0800 (PST)
Message-Id: <199811110700.XAA24502@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.ORG
From: Peter Wemm <peter@netplex.com.au>
Subject: Re: bin/8646: Implement rlogind -a option 
Reply-To: Peter Wemm <peter@netplex.com.au>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The following reply was made to PR bin/8646; it has been noted by GNATS.

From: Peter Wemm <peter@netplex.com.au>
To: cschuber@uumail.gov.bc.ca
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/8646: Implement rlogind -a option 
Date: Wed, 11 Nov 1998 13:04:01 +0800

 Cy Schubert wrote:
 
 > >Synopsis:       Implement rlogind -a option
 
 > >Description:
 > 
 > 	Implement rshd's -a option in rlogind.  Hopefully this will
 > 	provide a little better security.
 
 I'm not sure that this is the right thing..  What is it to protect? 
 Hostname spoofing for .rhosts?  If so, that is already taken care of 
 within the ruserok() and iruserok() code in libc which deals with .rhosts.
 
 All that I can see that it does is verify the hostname for utmp purposes.. 
 What it should do in this case is log the IP address instead of the 
 hostname if there is a mismatch, and let ruserok() decide what to do.  
 
 There is no need to refuse a connection from an incorrectly configured 
 client if that client has it's IP address (not hostname) explicitly listed 
 in the .rhosts file.
 
 Refusing service solely because of DNS problems is bad.  Refusing to 
 *trust* DNS if there is a problem is much better.  The logging should 
 switch to IP addresses if there is any doubt about the DNS integrity.
 
 Cheers,
 -Peter
 
 
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message