Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!uakari.primate.wisc.edu!sdd.hp.com!elroy.jpl.nasa.gov!ames!eos!shelby!portia.stanford.edu!elaine33.stanford.edu!dhinds
From: dhinds@elaine33.stanford.edu (David Hinds)
Newsgroups: comp.sys.sgi
Subject: Re: Remote printing IRIX 3.3.1
Message-ID: <1990Dec12.222508.4108@portia.Stanford.EDU>
Date: 12 Dec 90 22:25:08 GMT
References: <9012110417.aa06748@VGR.BRL.MIL>
Sender: news@portia.Stanford.EDU
Organization: Stanford University - AIR
Lines: 26

In article <9012110417.aa06748@VGR.BRL.MIL> FL17@DLRVMBS.BITNET writes:
>
>Remote printing works nicely via the lp account with no password.
>However, anyone can log in as user "lp" with no password on our machines.
>Does anyone have a method to inhibit interactive logins as user "lp"
>while maintaining the remote printing feature ?

   I had a similar problem, in setting up one of our Irises so that a
Personal Iris could make backups remotely - 'bru' and 'mt' need to be
able to access the remote system through a guest account for which a password
isn't necessary.  The answer seems to be to give the account an invalid
password, but put an entry in the .rhosts file for that account specifying
that selected outside users are equivalent and don't need to specify a
password when using 'rsh', 'rlogin', etc.  Our 'lp' account is set up
this way, as well.  So, on the server Iris, the line in /etc/passwd is:

      lp:*:9:9:0000-lp(0000):/usr/spool/lp:

and the server's /usr/spool/lp/.rhosts file looks like:

      cb-iris2.stanford.edu lp

where cb-iris2 is the Personal Iris.  This seems to be reasonably safe.

 -David Hinds
  dhinds@cb-iris.stanford.edu