Re: Security Info (root broken)

[pug () arlut utexas edu (Pug)]

> > > That is a point that is also going into the summary.  Its a shame, because
> > > the r commands are useful at times.
> > We have made it so we can use r commands with the password verification
> > (ie. rlogin) turned on. We did this by getting the source to login and
> > commenting out the call to see if it's a legitimate remote user. This
> > bypasses the /etc/hosts.equiv and ~/.rhosts check. Unfortunately if
> > you want /etc/hosts.equiv without ~/.rhosts, you have to modify the
> > library call ruserok().
> Thats a thought.  It precludes using them in any automated scripts, though.

You're correct. We are working on a more secure way to do this. Another
alternative would be to run tcp_wrapper around them. This means you
would have to trust certain hosts, but it's better than nothing.

Ciao,

-- 
Richard Bainter          Mundanely     |    System Analyst        - OMG/CSD
Pug                      Generally     |    Applied Research Labs - U.Texas
          pug () arlut utexas edu         |    pug () bga com
Note: The views may not reflect my employers, or even my own for that matter.