Unix network security

Mike Haertel mike at thor.acc.stolaf.edu
Sat Aug 19 18:02:14 AEST 1989 

In article <328 at uvaarpa.virginia.edu> randall at uvaarpa.Virginia.EDU (Randall Atkinson) writes:
>In article <4614 at thor.acc.stolaf.edu>,
>	mike at thor.stolaf.edu (Mike Haertel) writes:
>
>>If many people would put "*" in their hypothetical .netaccess files
>>(and I am certainly among those who would) then attempting to restrict
>>network logins in such a way is not a good idea to begin with.
>
>In short, you are saying that since you won't use a method of
>improving security yourself that no one should use that method.

That is not at all what I said; learn to read English.  I did not
say "Since I would ... it is not a good idea", I said "If many people
... it is not a good idea."

If a sufficient number of people disabled host name access checking for
their accounts, it would be as if there were no access checking at
all.  If you had access checking turned on, but some other user on your
machine didn't for their account, then your account would be nearly as
exposed as theirs, as a bad guy logged into their account would be
about 95% of the way to yours.  Occasionally for my own amusement I
will attempt to invent a new way to become the superuser; over the past
few years I have found a surprising number of methods.  I am convinced
that if an interloper has access to any one `normal' account on your
machine, that is as good as having access to all, if the interloper is
reasonably talented.  Fortunately most malicious people are more
interested in being nasty than in learning the subtle aspects of the
system.

>I disagree strongly.  If there were such a mechanism to restrict the
>origin of telnet sessions to my accounts, I would use it.

You can easily restrict telnet sessions to your own account; just
write a short login shell that checks the remote host before execing
your real shell.  But if you have a reasonably `secure' password
there is really no reason to waste the effort.
-- 
Mike Haertel <mike at stolaf.edu>
``There's nothing remarkable about it.  All one has to do is hit the right
  keys at the right time and the instrument plays itself.'' -- J. S. Bach

More information about the Comp.unix.wizards mailing list