[974] in Athena Bugs
.rhosts file, all releases.
daemon@ATHENA.MIT.EDU (John D. Kubiatowicz)
Sun Sep 18 18:22:48 1988
To: bugs@ATHENA.MIT.EDU
Date: Sun, 18 Sep 88 18:22:12 EDT
From: John D. Kubiatowicz <kubitron@ATHENA.MIT.EDU>
The fact that our login program accepts .rhosts files may be necessary for
backward-compatability, but it is a security hole.
One of my guest accounts on AlefNull had a .rhosts file in it. Consequently,
anyone claiming to be on machine "pal" as professor Troxel could gain
entrance to my machine.
We should have a way to disable this functionality. Otherwise, kerberos
authentication becomes moot...
--KUBI--
p.s. I'm *not* arguing for the removal of this functionality; just the ability
to disable it.
