From owner-freebsd-bugs Sat Nov 23 06:50:08 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA28665 for bugs-outgoing; Sat, 23 Nov 1996 06:50:08 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA28656; Sat, 23 Nov 1996 06:50:05 -0800 (PST) Resent-Date: Sat, 23 Nov 1996 06:50:05 -0800 (PST) Resent-Message-Id: <199611231450.GAA28656@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, ciaran@aldhfn.aldhfn.org Received: from aldhfn.aldhfn.org (root@aldhfn.aldhfn.org [198.17.116.1]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id GAA28455 for ; Sat, 23 Nov 1996 06:43:02 -0800 (PST) Received: (from ciaran@localhost) by aldhfn.aldhfn.org (8.6.12/8.6.11.1) id JAA04480; Sat, 23 Nov 1996 09:40:12 -0500 Message-Id: <199611231440.JAA04480@aldhfn.aldhfn.org> Date: Sat, 23 Nov 1996 09:40:12 -0500 From: Skip Watson Reply-To: ciaran@aldhfn.aldhfn.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/2092: rlogind not using passwords Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 2092 >Category: bin >Synopsis: rlogind not using passwords >Confidential: yes >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Nov 23 06:50:03 PST 1996 >Last-Modified: >Originator: Skip Watson >Organization: Skip -- Auldhaefen Online Services automated info: info@aldhfn.org 330 745-9380 voice questions: support@aldhfn.org 330 753-8791 bbs/fax person: ciaran@aldhfn.org 330 745-7624 data WWW: http://www.ald.net >Release: FreeBSD 2.1-STABLE i386 >Environment: FreeBSD aldhfn.aldhfn.org 2.1.0-RELEASE FreeBSD 2.1.0-RELEASE #0: Mon Nov 20 13:22:52 EST 1995 ciaran@aldhfn.aldhfn.org:/usr/src/sys/compile/ALDHFN i386 and FreeBSD arachne.aldhfn.org 2.1.5-RELEASE FreeBSD 2.1.5-RELEASE #0: Thu Jul 18 02:24:53 EDT 1996 root@arachne.aldhfn.org:/usr/src/sys/compile/ARACHNE i386 >Description: When using rlogin from a remote site, rlogind does not use passwords on the local machine. As an example, user "timmy" has an account on our machine (aldhfn.aldhfn.org) with a password of "letmein". He also has an account of "timmy" at xyz.com with a password of "whocares". "timmy" logins into "xyz.com" and then rlogin to our machine. rlogind logs him directly into our machine without asking for his password on our machine. Since the two passwords are different it should be authenticating him rather logging him in directly. This is a major problem since anyone can login as anyone else, even root. The same thing is occuring with arachne.aldhfn.org which is running 2.1.5. I have gotten in 2.1.6 but haven't had time to install it. I don't know if 2.1.6 will solve this problem or not. >How-To-Repeat: It happens all of the time. There's nothing special that needs to be done. >Fix: Don't know. >Audit-Trail: >Unformatted: