[19595] in Athena Bugs
Re: access_on documentation bugs, security concerns
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Aug 11 09:35:50 2001
Message-Id: <200108111335.JAA31639@egyptian-gods.MIT.EDU>
To: "Christopher D. Beland" <beland@MIT.EDU>
cc: bugs@MIT.EDU, ostock@MIT.EDU
In-Reply-To: Your message of "Sat, 11 Aug 2001 03:56:55 EDT."
<200108110756.DAA01173@Press-Your-Luck.mit.edu>
Date: Sat, 11 Aug 2001 09:35:46 -0400
From: Greg Hudson <ghudson@MIT.EDU>
> If I'm not mistaken, I confirmed with Athena 9.0 in the test cluster
> a while back that "ssh machine" won't actually work on public Athena
> machines, because they are not configured to run sshd by default. I
> personally I don't understand why not.
Because public workstations can't keep a secret ssh key.
> Typing "access_on" is actually more dangerous than this answer leads
> one to believe.
I'd be happy to disable it, but I don't know if that would irritate
users too much. It's not like you can log in remotely as a user
without sending your password over the net in the clear.
> the message includes the host they are coming from, and perhaps
> their real username, if retrievable
It's not going to be retrievable in any secure way, since you don't
authenticate when you log in as root with the root password.
