Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!cbatt!ucbvax!RED.RUTGERS.EDU!AWalker
From: AWalker@RED.RUTGERS.EDU.UUCP
Newsgroups: mod.computers.vax
Subject: Defeating the secondary password
Message-ID: <12274303544.24.AWALKER@RED.RUTGERS.EDU>
Date: Tue, 27-Jan-87 13:03:07 EST
Article-I.D.: RED.12274303544.24.AWALKER
Posted: Tue Jan 27 13:03:07 1987
Date-Received: Thu, 29-Jan-87 03:29:31 EST
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The ARPA Internet
Lines: 14
Approved: info-vax@sri-kl.arpa

There are two instances I can think of that allow an account with two passwords
to "log in" using only one.

The "authorization" window on a Vaxstation [vs100, not microvax workstation]
accepts one password, the first one, and will then create jobs with that
username from then on whether that account had a second password or not.

The Wollongong FTP server, and I suspect others, will "log in" an incoming
connection when just the first password is supplied.

So much for paranoid security!

_H*
-------