Date: Mon, 17 Sep 2001 21:04:43 -0600 From: Nate Williams <nate@yogotech.com> To: David Malone <dwmalone@maths.tcd.ie> Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: misc/30590: /etc/hosts.equiv and ~/.rhosts interaction violates POLA? Message-ID: <15270.47563.532734.979385@nomad.yogotech.com> In-Reply-To: <200109151440.f8FEe2w91340@freefall.freebsd.org> References: <200109151440.f8FEe2w91340@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> From: David Malone <dwmalone@maths.tcd.ie> > To: Gavin Atkinson <ga105@york.ac.uk> > Cc: freebsd-gnats-submit@FreeBSD.org > Subject: Re: misc/30590: /etc/hosts.equiv and ~/.rhosts interaction violates POLA? > Date: Sat, 15 Sep 2001 15:33:00 +0100 > > On Sat, Sep 15, 2001 at 07:20:22AM -0700, Gavin Atkinson wrote: > > Therefore the sysadmin of a system cannot easily prevent rlogins from another system. This would seem to be a useful thing, for example if the remote system has been compromised. > > Also, if a user cares more for his account's security than the sysadmin, he can't disable rlogins. > > Surely you would be much better off using hosts.allow or ipfw to > prevent such connections? That way you would stop connections > using telnet and ssh too. Surely not. Having to modify your firewall everytime you had a host you wanted to allow, or did not want to allow is massive overkill. Especially if the list is long, because the firewall rules must be used for *every* packet, and this could get pretty long. The existing mechanism is simply not (yet) up to the task. A firewall is a good tool, but it doesn't make it the only good tool in your belt. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15270.47563.532734.979385>