fix for login
Stan Johnson
johnson at euler.jsc.nasa.gov
Wed Mar 6 02:53:16 AEST 1991
Vernon Schryver writes:
>Please note that the fix for /bin/login does not close any security holes.
>The problem is only that people are forced to run the passwd command after
>being accepted as bona fide users. What happens is exactly the same as if
>someone had first used rlogin, and then typed `passwd`. At worst, this
>makes the new "password required" feature less useful. It does not allow
>anyone any access to machines that they did not already have. In fact, it
>effectively denies access.
(...)
>Vernon Schryver, vjs at sgi.com
You are absolutely right; my apologies. The fact that the user must first
enter his or her old password makes the problem one of convenience, not
security. I had forgotten that fact, since I ran into the problem as root
and so was not asked for the old password...
I should also mention that SGI hotline personnel were very helpful in
isolating and solving the problem.
-Stan Johnson
NASA / Johnson Space Center
(713) 483-4692
johnson at euler.jsc.nasa.gov
More information about the Comp.sys.sgi
mailing list