Path: utzoo!attcan!uunet!seismo!rick
From: rick@seismo.CSS.GOV (Rick Adams)
Newsgroups: news.sysadmin
Subject: Re: Site impersonation (was: Is uunet a security hole?)
Summary: That was the POINT
Keywords: uucp logins security
Message-ID: <44479@beno.seismo.CSS.GOV>
Date: 9 Jan 89 21:26:26 GMT
References: <10420@rpp386.Dallas.TX.US> <44465@beno.seismo.CSS.GOV> <5048@b-tech.ann-arbor.mi.us>
Distribution: na
Organization: Center for Seismic Studies, Arlington, VA
Lines: 21

In article <5048@b-tech.ann-arbor.mi.us>, zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff) writes:
> >In article <44477@beno.seismo.CSS.GOV> rick@seismo.CSS.GOV (Rick Adams) writes:
> >>
> >>I don't consider it "safe" when any site that also has an entry
> >>in that sites Systems file can impersonate me.
> >>
> 
> In case other postings wern't clear, the HDB VALIDATE option makes it
> possible to require any site claiming to be xxx to use login yyy.  This
> eliminates any impersonation problem (except for sites which share a login).
					^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
That was my point. If sites share a login, then any of them
can impersonate one of the others. Therefore, it is unsafe.

The orignal article claimed that if your Permissions was set up
properly, you could "safely" run with one login.

You may find this level of "safety" acceptable for certain situations,
but it is not inherently "safe".

---rick