Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!cs.utexas.edu!csd4.csd.uwm.edu!lll-winken!brutus.cs.uiuc.edu!tut.cis.ohio-state.edu!uc!nic.MR.NET!thor.acc.stolaf.edu!mike From: mike@thor.acc.stolaf.edu (Mike Haertel) Newsgroups: comp.unix.wizards Subject: Re: Unix network security Message-ID: <4641@thor.acc.stolaf.edu> Date: 19 Aug 89 08:02:14 GMT References: <3855@fy.sei.cmu.edu> <1064@accuvax.nwu.edu> <3942@phri.UUCP> <4614@thor.acc.stolaf.edu> <328@uvaarpa.virginia.edu> Reply-To: mike@thor.stolaf.edu Distribution: inet Organization: St. Olaf College, Northfield, MN Lines: 40 In article <328@uvaarpa.virginia.edu> randall@uvaarpa.Virginia.EDU (Randall Atkinson) writes: >In article <4614@thor.acc.stolaf.edu>, > mike@thor.stolaf.edu (Mike Haertel) writes: > >>If many people would put "*" in their hypothetical .netaccess files >>(and I am certainly among those who would) then attempting to restrict >>network logins in such a way is not a good idea to begin with. > >In short, you are saying that since you won't use a method of >improving security yourself that no one should use that method. That is not at all what I said; learn to read English. I did not say "Since I would ... it is not a good idea", I said "If many people ... it is not a good idea." If a sufficient number of people disabled host name access checking for their accounts, it would be as if there were no access checking at all. If you had access checking turned on, but some other user on your machine didn't for their account, then your account would be nearly as exposed as theirs, as a bad guy logged into their account would be about 95% of the way to yours. Occasionally for my own amusement I will attempt to invent a new way to become the superuser; over the past few years I have found a surprising number of methods. I am convinced that if an interloper has access to any one `normal' account on your machine, that is as good as having access to all, if the interloper is reasonably talented. Fortunately most malicious people are more interested in being nasty than in learning the subtle aspects of the system. >I disagree strongly. If there were such a mechanism to restrict the >origin of telnet sessions to my accounts, I would use it. You can easily restrict telnet sessions to your own account; just write a short login shell that checks the remote host before execing your real shell. But if you have a reasonably `secure' password there is really no reason to waste the effort. -- Mike Haertel ``There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself.'' -- J. S. Bach