Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 31 May 1996 17:09:24 -0700 (PDT)
From:      David Babler <dbabler@Rigel.orionsys.com>
To:        questions@freebsd.org
Subject:   Re: Limiting access
Message-ID:  <Pine.BSF.3.91.960531170148.29128C-100000@Rigel.orionsys.com>
In-Reply-To: <199605312342.XAA24859@gatekeeper.fsl.noaa.gov>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Fri, 31 May 1996, Sean Kelly wrote:

> >>>>> "Anthony" == Anthony D Fleisher <fleisher@mind.net> writes:
> 
>     Anthony> Why not just use tcpwrappers to restrict access?
> 
> Because it might be OK to enter the FreeBSD system from the
> network---such as from a remote access provider.  He wants to charge
> for his local modem usage to the BBS.  (I think.)
> 
What I'm trying to do is, at least for specific users, only allow access 
thru the BBS.

>     >> What I'm thinking of doing is to create their account on the
>     >> FBSD system and then use vipw to make their passwords
>     >> un-enterable ("*") and have the BBS in the etc/hosts.equiv file
>     >> and use rlogin from the BBS. That way, their security is
>     >> handled by the BBS (and they don't need to remember another
>     >> password) and if they try to login from "outside", they can't
>     >> because they can't enter the password. Am I overlooking
>     >> something or is there some easily-exploitable hole in this?
>     >> 
>     Anthony> 1) What is stoping them from creating a .rhosts file (and
>     Anthony> thus not required to enter a password)?
> 
> They won't be required to enter a password anyway since the BBS
> hostname will appear in the FreeBSD's /etc/hosts.equiv file.
> 
Rlogin from the BBS machine doesn't require passwords, but (hopefully) 
access from outside the domain does.

I assume the real problem would be if a user just deleted the stock 
.rhosts in their directory and replaced it with one of their own, thus 
making that a trusted system. I believe if I change permissions so they 
can't delete the file, I'm okay, yes?

-Dave Babler

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960531170148.29128C-100000>