From owner-freebsd-security Fri Feb 23 09:46:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA25033 for security-outgoing; Fri, 23 Feb 1996 09:46:23 -0800 (PST) Received: from zip.io.org (root@zip.io.org [198.133.36.80]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id JAA25025 for ; Fri, 23 Feb 1996 09:46:20 -0800 (PST) Received: (from taob@localhost) by zip.io.org (8.6.12/8.6.12) id MAA00100; Fri, 23 Feb 1996 12:45:42 -0500 Date: Fri, 23 Feb 1996 12:45:42 -0500 (EST) From: Brian Tao To: cschuber@orca.gov.bc.ca cc: FREEBSD-SECURITY-L Subject: Re: Informing users of cracked passwords? In-Reply-To: <199602231722.JAA27776@passer.osg.gov.bc.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org Precedence: bulk On Fri, 23 Feb 1996, Cy Schubert - BCSC Open Systems Group wrote: > > One could use TCP/Wrapper to restrict the effectiveness of "r" commands to hosts > that you trust thereby negating any entries users have put in their .rhosts > files of hosts that you don't trust. I have tcpd running here, but it only refuses connects for hosts with no reverse DNS or with mismatched forward/reverse records. Since a lot of our users telnet in from elsewhere, I can't maintain a list of "trusted" hosts (this is for an ISP, after all). I could disable .rhosts, but that raises another question. Is it better to allow users to rlogin from an untrusted host to your system, or to force them to authenticate themselves each time and have cleartext passwords flying over the network? It would be so much easier if access was only through modem dialup, and we didn't have to rely on NFS or a distributed password system, or give shell access, etc., etc. :-/ -- Brian Tao (BT300, taob@io.org) Systems Administrator, Internex Online Inc. "Though this be madness, yet there is method in't"