Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Feb 96 09:57:46 -0800
From:      Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca>
To:        Brian Tao <taob@io.org>
Cc:        cschuber@orca.gov.bc.ca, FREEBSD-SECURITY-L <freebsd-security@FreeBSD.org>
Subject:   Re: Informing users of cracked passwords?  
Message-ID:  <199602231757.JAA27883@passer.osg.gov.bc.ca>
In-Reply-To: Your message of "Fri, 23 Feb 96 12:45:42 EST." <Pine.BSF.3.91.960223123339.18637M-100000@zip.io.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

> On Fri, 23 Feb 1996, Cy Schubert - BCSC Open Systems Group wrote:
> > 
> > One could use TCP/Wrapper to restrict the effectiveness of "r" commands to 
hosts 
> > that you trust thereby negating any entries users have put in their .rhosts
 
> > files of hosts that you don't trust.
> 
>     I have tcpd running here, but it only refuses connects for hosts
> with no reverse DNS or with mismatched forward/reverse records.  Since
> a lot of our users telnet in from elsewhere, I can't maintain a list
> of "trusted" hosts (this is for an ISP, after all).
> 
>     I could disable .rhosts, but that raises another question.  Is it
> better to allow users to rlogin from an untrusted host to your system,
> or to force them to authenticate themselves each time and have
> cleartext passwords flying over the network?
> 
>     It would be so much easier if access was only through modem
> dialup, and we didn't have to rely on NFS or a distributed password
> system, or give shell access, etc., etc.  :-/

You're obviously using TCPD to monitor connections, excluding those connections 
that are caught by the PARANOID mode code.  You could, for example, maintain a 
simple hosts.allow:

ALL EXCEPT rlogind rshd rexecd fingerd: ALL
rlogind rshd rexecd:  .io.org

These two lines restrict rlogin, rsh, and rexec to hosts within the io.org 
domain while allowing connections to all other services from anywhere in the 
world.

> --
> Brian Tao (BT300, taob@io.org)
> Systems Administrator, Internex Online Inc.
> "Though this be madness, yet there is method in't"
> 


Regards,                       Phone:  (604)389-3827
Cy Schubert                    OV/VM:  BCSC02(CSCHUBER)
Open Systems Support          BITNET:  CSCHUBER@BCSC02.BITNET
BC Systems Corp.            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

		"Quit spooling around, JES do it."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602231757.JAA27883>