Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!wuarchive!uwm.edu!bionet!agate!ucbvax!euler.jsc.nasa.gov!johnson
From: johnson@euler.jsc.nasa.gov (Stan Johnson)
Newsgroups: comp.sys.sgi
Subject: RE: fix for login
Message-ID: <9103051653.AA26823@euler.jsc.nasa.gov>
Date: 5 Mar 91 16:53:16 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 23

Vernon Schryver writes:
>Please note that the fix for /bin/login does not close any security holes.
>The problem is only that people are forced to run the passwd command after
>being accepted as bona fide users.  What happens is exactly the same as if
>someone had first used rlogin, and then typed `passwd`.  At worst, this
>makes the new "password required" feature less useful.  It does not allow
>anyone any access to machines that they did not already have.  In fact, it
>effectively denies access.
 (...)
>Vernon Schryver,   vjs@sgi.com

You are absolutely right; my apologies.  The fact that the user must first
enter his or her old password makes the problem one of convenience, not
security.  I had forgotten that fact, since I ran into the problem as root
and so was not asked for the old password...

I should also mention that SGI hotline personnel were very helpful in
isolating and solving the problem.

-Stan Johnson
 NASA / Johnson Space Center
 (713) 483-4692
 johnson@euler.jsc.nasa.gov