Multiple Root ID's considered evil?
Trip Martin
night at pawl.rpi.edu
Sun Sep 17 11:02:44 AEST 1989
In article <4183 at buengc.BU.EDU> bph at buengc.bu.edu (Blair P. Houghton) writes:
>With a * in the password field, and a hostname in his .rhosts, a user
>can log in without a password from that "trusted" host.
>
>Make up your own method to fix this. I think I'll just rot13 the .rhosts
>of people who "don't need" their access, after starring them out.
The method I've seen, and used on at least one occasion to plug that
hole is to make their login shell something that can't be executed,
usually /dev/null. I think I can guarantee that no one's going to
log in using that account without a login shell.
Trip Martin KA2LIV night at pawl.rpi.edu
Finite state machinist night at uruguay.acm.rpi.edu
More information about the Comp.unix.wizards
mailing list