Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 23 Nov 1996 09:40:12 -0500
From:      Skip Watson <ciaran@aldhfn.aldhfn.org>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/2092: rlogind not using passwords
Message-ID:  <199611231440.JAA04480@aldhfn.aldhfn.org>
Resent-Message-ID: <199611231450.GAA28656@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         2092
>Category:       bin
>Synopsis:       rlogind not using passwords
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 23 06:50:03 PST 1996
>Last-Modified:
>Originator:     Skip Watson
>Organization:
Skip
--
Auldhaefen Online Services		automated info: info@aldhfn.org
330 745-9380 voice			     questions: support@aldhfn.org
330 753-8791 bbs/fax			        person: ciaran@aldhfn.org
330 745-7624 data		                   WWW: http://www.ald.net
>Release:        FreeBSD 2.1-STABLE i386
>Environment:

FreeBSD aldhfn.aldhfn.org 2.1.0-RELEASE FreeBSD 2.1.0-RELEASE #0: Mon Nov 20 13:22:52 EST 1995     ciaran@aldhfn.aldhfn.org:/usr/src/sys/compile/ALDHFN  i386

and

FreeBSD arachne.aldhfn.org 2.1.5-RELEASE FreeBSD 2.1.5-RELEASE #0: Thu Jul 18 02:24:53 EDT 1996     root@arachne.aldhfn.org:/usr/src/sys/compile/ARACHNE  i386

>Description:

	When using rlogin from a remote site, rlogind does not use passwords 
on the local machine. As an example, user "timmy" has an account on our 
machine (aldhfn.aldhfn.org) with a password of "letmein". He also has an 
account of "timmy" at xyz.com with a password of "whocares". "timmy" logins 
into "xyz.com" and then rlogin to our machine. rlogind logs him directly 
into our machine without asking for his password on our machine. Since the 
two passwords are different it should be authenticating him rather logging 
him in directly.
	This is a major problem since anyone can login as anyone else, even 
root.
	The same thing is occuring with arachne.aldhfn.org which is running 
2.1.5. I have gotten in 2.1.6 but haven't had time to install it. I don't know
if 2.1.6 will solve this problem or not. 

>How-To-Repeat:

	It happens all of the time. There's nothing special that needs to be 
done.

>Fix:
	
	Don't know.	

>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611231440.JAA04480>