From owner-freebsd-questions Fri May 31 16:18:10 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA20906 for questions-outgoing; Fri, 31 May 1996 16:18:10 -0700 (PDT) Received: from one.mind.net (one.mind.net [206.99.66.5]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA20898 for ; Fri, 31 May 1996 16:18:09 -0700 (PDT) Received: from takhus.mind.net (takhus.mind.net [206.99.66.70]) by one.mind.net (8.6.12/8.6.10) with SMTP id QAA27462; Fri, 31 May 1996 16:17:08 -0700 Message-Id: <2.2.32.19960531232202.006f54f8@mind.net> X-Sender: fleisher@mind.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 31 May 1996 16:22:02 -0700 To: David Babler From: Anthony D Fleisher Subject: Re: Limiting access Cc: questions@freebsd.org Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 11:15 AM 5/31/96 -0700, you wrote: >Greetings... I need a sanity check on something. I'm running FreeBSD as >an adjunct to a BBS to provide users with shell accounts and general >access to newsreaders and so on. The BBS software provides all the >accounting and access control I need and by itself includes FTP, telnet, >rlogin and so on. If I simply create accounts for them on the FBSD system >and have them rlogin or telnet to it, I open a hole for them to bypass >the normal accounting associated with charging them for usage. For >instance, I have a number of subscription classes that allow access for a >specific amount of time per day. If I create an account for such a user >on the FBSD system, they could just as easily just find another place to >telnet from and their usage bypasses the BBS altogether, essentially >giving them far more access than they've paid for. My first thought of >how to limit this seems like it should work, but maybe there is a better >way to do it. > Why not just use tcpwrappers to restrict access? Last I saw it was in the /security/tcp_wrappers directory of the ports collection. >What I'm thinking of doing is to create their account on the FBSD system >and then use vipw to make their passwords un-enterable ("*") and have the >BBS in the etc/hosts.equiv file and use rlogin from the BBS. That way, >their security is handled by the BBS (and they don't need to remember >another password) and if they try to login from "outside", they can't >because they can't enter the password. Am I overlooking something or is >there some easily-exploitable hole in this? > 1) What is stoping them from creating a .rhosts file (and thus not required to enter a password)? >Thanks! > >-Dave Babler > tcp_wrappers is by far the most complete solution as far as i am concerned. Hope this helps, --------------------------------------------------------- Anthony Fleisher InfoStructure fleisher@mind.net 611 Siskiyou Blvd. voice:541-488-1962 fax:541-488-7599 Ashland OR 97520 ---------------------------------------------------------