Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!rpi!pawl5.pawl.rpi.edu!night
From: night@pawl.rpi.edu (Trip Martin)
Newsgroups: comp.unix.wizards
Subject: Re: Multiple Root ID's considered evil?
Message-ID: <7383@rpi.edu>
Date: 17 Sep 89 01:02:44 GMT
References: <435@lxn.eds.com> <347@galadriel.bt.co.uk> <4183@buengc.BU.EDU>
Sender: usenet@rpi.edu
Organization: Rensselaer Polytechnic Institute, Troy, NY
Lines: 15

In article <4183@buengc.BU.EDU> bph@buengc.bu.edu (Blair P. Houghton) writes:
>With a * in the password field, and a hostname in his .rhosts, a user
>can log in without a password from that "trusted" host.
>
>Make up your own method to fix this.  I think I'll just rot13 the .rhosts
>of people who "don't need" their access, after starring them out.

The method I've seen, and used on at least one occasion to plug that
hole is to make their login shell something that can't be executed,
usually /dev/null.  I think I can guarantee that no one's going to 
log in using that account without a login shell.  


Trip Martin  KA2LIV       night@pawl.rpi.edu
Finite state machinist    night@uruguay.acm.rpi.edu