Bugtraq mailing list archives

Re: Aix rlogind

From: wietse () wzv win tue nl (Wietse Venema)
Date: Sat, 21 May 94 16:16:45 MET DST

what are the details on this new bug?


One week ago I received mail from someone who used my agetty program
(flexible login front end for SysV and SunOS), after he had discovered
that it would pass on usernames that begin with '-'.  I wrote the
program in the days of SysV.2, when login did not have any command-
line switches, so it had never been a problem there.

These days, usernames that begin with '-' can wreak havoc with login
programs that have options to disable password checking (-r, -f).  I
posted a note to various news groups with a small context diff for
my agetty source that disabled usernames beginning with '-'.

In the next couple of days I received reactions from people who were
triggered by this problem. It turned out that most network daemons will
pass on usernames that begin with '-'.

I guess quite a few are having fun now with telnet -l and rlogin -l.

        Wietse

Current thread:

Aix rlogind THOMAS P. WALPOLE (May 20)
- Re: Aix rlogind Wietse Venema (May 21)
- <Possible follow-ups>
- Re: Aix rlogind der Mouse (May 21)
- Re: AIX rlogind Jim Thompson (May 22)
- Re: AIX rlogind der Mouse (May 23)
  - Re: AIX rlogind Casper Dik (May 24)