Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!samsung!think!Think.COM!barmar
From: barmar@Think.COM
Newsgroups: comp.unix.wizards
Subject: Re: ftp using .rhosts or rhsts.equiv
Message-ID: <32144@news.Think.COM>
Date: 13 Dec 89 05:31:37 GMT
References: <Dec.8.16.10.03.1989.20166@pilot.njin.net> <32098@news.Think.COM> <DOUGM.89Dec10124339@queso.ico.isc.com>
Sender: news@Think.COM
Organization: Thinking Machines Corporation, Cambridge MA, USA
Lines: 17

In article <DOUGM.89Dec10124339@queso.ico.isc.com> dougm@ico.isc.com (Doug McCallum) writes:
>Non-UNIX systems don't have the priviledged port mechanism.  It would
>be quite simple to spoof the FTP daemon even with the mechanism you
>suggest.  It would be much better to add something like the Kerberos
>authentication system and forget the priviledged port business.

The original poster was only looking for a mechanism as secure as rsh,
which uses privileged ports and the hosts.equiv file to implement its
security.  If a site is concerned about spoofing, it should only put Unix
systems in its hosts.equiv file.  Password-less access would always be
rejected from hosts not in this file; for hosts in the file ("trusted"
hosts), password-less access would be permitted only from privileged ports.

Barry Margolin, Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar