Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 31 May 1996 16:22:02 -0700
From:      Anthony D Fleisher <fleisher@mind.net>
To:        David Babler <dbabler@Rigel.orionsys.com>
Cc:        questions@freebsd.org
Subject:   Re: Limiting access
Message-ID:  <2.2.32.19960531232202.006f54f8@mind.net>
next in thread | raw e-mail | index | archive | help 
At 11:15 AM 5/31/96 -0700, you wrote:
>Greetings... I need a sanity check on something. I'm running FreeBSD as 
>an adjunct to a BBS to provide users with shell accounts and general 
>access to newsreaders and so on. The BBS software provides all the 
>accounting and access control I need and by itself includes FTP, telnet, 
>rlogin and so on. If I simply create accounts for them on the FBSD system 
>and have them rlogin or telnet to it, I open a hole for them to bypass 
>the normal accounting associated with charging them for usage. For 
>instance, I have a number of subscription classes that allow access for a 
>specific amount of time per day. If I create an account for such a user 
>on the FBSD system, they could just as easily just find another place to 
>telnet from and their usage bypasses the BBS altogether, essentially 
>giving them far more access than they've paid for. My first thought of 
>how to limit this seems like it should work, but maybe there is a better 
>way to do it.
>

Why not just use tcpwrappers to restrict access?
Last I saw it was in  the /security/tcp_wrappers directory of the ports
collection.

>What I'm thinking of doing is to create their account on the FBSD system 
>and then use vipw to make their passwords un-enterable ("*") and have the 
>BBS in the etc/hosts.equiv file and use rlogin from the BBS. That way, 
>their security is handled by the BBS (and they don't need to remember 
>another password) and if they try to login from "outside", they can't 
>because they can't enter the password. Am I overlooking something or is 
>there some easily-exploitable hole in this?
>
1) What is stoping them from creating a .rhosts file (and thus not required
to enter a password)?


>Thanks!
>
>-Dave Babler
>
tcp_wrappers is by far the most complete solution as far as i am concerned.

Hope this helps,
---------------------------------------------------------
Anthony Fleisher                     InfoStructure
fleisher@mind.net                    611 Siskiyou Blvd.
voice:541-488-1962 fax:541-488-7599  Ashland OR 97520
---------------------------------------------------------

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2.2.32.19960531232202.006f54f8>