From owner-freebsd-questions  Fri May 31 17:09:07 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id RAA25077
          for questions-outgoing; Fri, 31 May 1996 17:09:07 -0700 (PDT)
Received: from Rigel.orionsys.com (root@rigel.orionsys.com [205.148.224.9])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id RAA25068
          for <questions@freebsd.org>; Fri, 31 May 1996 17:09:04 -0700 (PDT)
Received: (from dbabler@localhost) by Rigel.orionsys.com (8.6.11/8.6.9) id RAA29140; Fri, 31 May 1996 17:09:24 -0700
Date: Fri, 31 May 1996 17:09:24 -0700 (PDT)
From: David Babler <dbabler@Rigel.orionsys.com>
To: questions@freebsd.org
Subject: Re: Limiting access
In-Reply-To: <199605312342.XAA24859@gatekeeper.fsl.noaa.gov>
Message-ID: <Pine.BSF.3.91.960531170148.29128C-100000@Rigel.orionsys.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk



On Fri, 31 May 1996, Sean Kelly wrote:

> >>>>> "Anthony" == Anthony D Fleisher <fleisher@mind.net> writes:
> 
>     Anthony> Why not just use tcpwrappers to restrict access?
> 
> Because it might be OK to enter the FreeBSD system from the
> network---such as from a remote access provider.  He wants to charge
> for his local modem usage to the BBS.  (I think.)
> 
What I'm trying to do is, at least for specific users, only allow access 
thru the BBS.

>     >> What I'm thinking of doing is to create their account on the
>     >> FBSD system and then use vipw to make their passwords
>     >> un-enterable ("*") and have the BBS in the etc/hosts.equiv file
>     >> and use rlogin from the BBS. That way, their security is
>     >> handled by the BBS (and they don't need to remember another
>     >> password) and if they try to login from "outside", they can't
>     >> because they can't enter the password. Am I overlooking
>     >> something or is there some easily-exploitable hole in this?
>     >> 
>     Anthony> 1) What is stoping them from creating a .rhosts file (and
>     Anthony> thus not required to enter a password)?
> 
> They won't be required to enter a password anyway since the BBS
> hostname will appear in the FreeBSD's /etc/hosts.equiv file.
> 
Rlogin from the BBS machine doesn't require passwords, but (hopefully) 
access from outside the domain does.

I assume the real problem would be if a user just deleted the stock 
.rhosts in their directory and replaced it with one of their own, thus 
making that a trusted system. I believe if I change permissions so they 
can't delete the file, I'm okay, yes?

-Dave Babler