[23] in bugtraq
Re: Internet Worm
daemon@ATHENA.MIT.EDU (Fred Kuhns)
Tue Oct 18 11:28:55 1994
From: Fred Kuhns <Fred_Kuhns@npg.wustl.edu>
To: bugtraq@crimelab.com
Date: Tue, 18 Oct 1994 08:39:17 -0500 (CDT)
In-Reply-To: <199410171138.GAA26475@cbs.ksu.ksu.edu> from "Steve Davis" at Oct 17, 94 06:38:33 am
Steve Davis writes:
>
> Various methods of making users' and administrators' lives a pain
> deleted.
>
> Brett Lymn writes:
>
> > This should stop the user creating a .rhosts file as there is a
> > directory there with that name.
>
> Seems to me that we would all be better served by running daemons that
> don't trust the user to determine valid remote authentication. Why not
> fix the r-daemons and login to ignore these files? This is certainly
> possible if a) you have source, and b) you're a competant enough
> programmer to #ifdef the necessary bits of code into oblivion.
>
> Unfortunatly, a) is rarely true. It'd be nice if vendors would ship
> their products secure.
How about logdaemon by Wietse Venema, it has replacements for rlogind,
rshd, rexecd, ftpd and telnetd. In addition to improved logging you can
disable the .rhosts files. Plus he has added support for S/Key one-time
passwords.
fred
--
