From owner-freebsd-security Wed Apr 23 11:53:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA16740 for security-outgoing; Wed, 23 Apr 1997 11:53:38 -0700 (PDT) Received: from usc.usc.unal.edu.co ([200.21.26.65]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id LAA16723 for ; Wed, 23 Apr 1997 11:53:06 -0700 (PDT) Received: from unalmodem11.usc.unal.edu.co by usc.usc.unal.edu.co (AIX 4.1/UCB 5.64/4.03) id AA702128; Wed, 23 Apr 1997 14:51:55 -0400 Message-Id: <335E75CF.705E@fps.biblos.unal.edu.co> Date: Wed, 23 Apr 1997 13:49:19 -0700 From: Pedro Giffuni X-Mailer: Mozilla 3.0 (Win16; I) Mime-Version: 1.0 To: security@freebsd.org Subject: Possible security hole in 2.2 Release. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Howdy, One of my users reported rlogin didn't ask for a password when he tried to log from a remote box in another faculty. I haven't had the time to check this out (I am sick and in home). The problem was only detected from one Solaris box that doesn't has it's hostname correctly configured. The .rhosts files are from the standard distribution and include a line, "+ +" that may be causing the problem. I closed r* services on this box until I have a chance to check this thoroughly. Pedro.