Unix network security (was "CERT Internet Security Advisory")
Roy Smith
roy at phri.UUCP
Fri Aug 18 09:34:00 AEST 1989
In <1064 at accuvax.nwu.edu> phil at delta.eecs.nwu.edu (William LeFebvre) writes:
> When /bin/login knows it is processing a remote login, why can't it
> check the hostname against a list of "allowed" hosts?
I can't find any problems with William's suggestion, but would add
one more idea. Before allowing a shot at a username/password, require a
network access password. The same thing could be done for dial-up access,
but this is less of a problem. This password would be picked by the system
administrator, (theoretically) ensuring that it wasn't an obvious one, like
lusers tend to pick. This is not a new idea, but seems to be implemented
only in very security concious sites; perhaps it should be the default way
vendors ship their systems. Multiple failures to get the network access
password right should be logged in the system security log.
Actually, I can find one problem with William's suggestion. Just
like people tend to pick poor passwords, I suspect many people would put
"*" in their .netaccess files, effectively defeating the whole idea.
--
Roy Smith, Public Health Research Institute
455 First Avenue, New York, NY 10016
{att,philabs,cmcl2,rutgers,hombre}!phri!roy -or- roy at alanine.phri.nyu.edu
"The connector is the network"
More information about the Comp.unix.wizards
mailing list