Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!sample.eng.ohio-state.edu!purdue!haven.umd.edu!umd5!cogsci!wjb
From: wjb@cogsci.cog.jhu.edu
Newsgroups: comp.unix.admin
Subject: Re: Network Logins
Message-ID: <26.Jun.91.180755.70@cogsci.cog.jhu.edu>
Date: 26 Jun 91 22:07:55 GMT
References: <1991May28.135719.13805@cs.utk.edu> <PK6CV_5@xds13.ferranti.com>
Organization: JHU Cognitive Science Center, Baltimore, MD
Lines: 33

peter@ficc.ferranti.com (Peter da Silva) writes:
>woo@ornl.gov (John W. Wooten) writes:
>>Is there a way to set up workstations so that if a user types
>>woo@woonext.dsrd.ornl.gov at login, the login procedure would open a telnet  
>>session to the machine described without every giving access to the physical
>>machine he's standing in front of?...
>
>Sure it's doable. Just set up an account called "telnet", then have a program
>that's run on login (preferably as the login shell) that asks for a remote
>system name and establishes a connection to it.

	Yes, it is doable, but it isn't always advisible.  Ferranti.com
seems to only have MX records in the DNS and I don't know whether or not you
publish your modem dialup numbers.  You can therefore look at your network
as a small closed system and not worry to much about people "cracking" your
machines.  Ornl.gov is ping'able on the Internet and setting up such an
account there would allow someone trying to "crack" on the Internet to use
their systems as a way to make it harder to track them down.  Just imagine
the difficulty of trying to determine the physical location of a cracker
when they can place an unknown number of machines between their initial
entry to the Internet and their current target.  This can, of course, be
made less useful to crackers by doing such things as having a password on
the account, restricting the account to the console or direct wired terminal
only (no network or modem access), and restricting the systems to which you
can connect.  Most sites on the Internet have placed restrictions on their
TCP/IP terminal servers such that you can only access machines on the local
network, to defend against this kind of activity.

	It would be nice if concerns about security never affected the
services that are made available to users, but sometimes that just isn't
possible.

				Bill Bogstad