From owner-freebsd-isp  Wed Aug  7 08:49:07 1996
Return-Path: owner-isp
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA08656
          for isp-outgoing; Wed, 7 Aug 1996 08:49:07 -0700 (PDT)
Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA08648
          for <freebsd-isp@FreeBSD.ORG>; Wed, 7 Aug 1996 08:49:04 -0700 (PDT)
Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id KAA02641; Wed, 7 Aug 1996 10:47:16 -0500
From: Joe Greco <jgreco@brasil.moneng.mei.com>
Message-Id: <199608071547.KAA02641@brasil.moneng.mei.com>
Subject: Re: Trial accounts
To: john@katan.pomona.edu (john)
Date: Wed, 7 Aug 1996 10:47:15 -0500 (CDT)
Cc: peter@clari.net.au, freebsd-isp@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.91.960807080438.16513A-100000@katan.pomona.edu> from "john" at Aug 7, 96 08:10:20 am
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> On Wed, 7 Aug 1996, Peter Hawkins wrote:
> 
> > I'd like to gather some feelings about providing (perhaps restricted) "trial"
> > 1. security
> > 2. The potential for someone to dial in under that name indefinitely.
> > 
> > However I don't want to lose custom :) so if there are ways of
> > addressing 1. and 2. I'd like to hear them.
> > 
> > Peter
> ---
> well, from my experience i've seen two easy ways of extending acct use.
> 
> 1. a file under the name of "TERMSET*" was placed in a trial home 
> directory which altered the time counter and the user was allowed to use the 
> acct indefinitely.
> 	i'm not sure exactly what TERMSET* was altering, but it worked
> 
> 2. after a trial period, even though the acct had expired, ftp was still 
> open.  so someone was able to ftp a new .login file and consequently 
> dialin indefinitely.
> 
> both methods aren't real security holes, simple settings changes would do 
> the trick.  it's more of a reflection on the sysadmins.  they were either 
> too busy, too lazy or too stupid to take care of it.

I will note that BSD login does have support for an "account expiration
date".  This would seem ideal for this sort of application.

... JG