Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!unmvax!indri!nic.MR.NET!thor.acc.stolaf.edu!mike From: mike@thor.acc.stolaf.edu (Mike Haertel) Newsgroups: comp.unix.wizards Subject: Re: Unix network security (was "CERT Internet Security Advisory") Message-ID: <4614@thor.acc.stolaf.edu> Date: 18 Aug 89 06:40:06 GMT References: <3855@fy.sei.cmu.edu> <1064@accuvax.nwu.edu> <3942@phri.UUCP> Reply-To: mike@thor.stolaf.edu (Mike Haertel) Organization: St. Olaf College, Northfield, MN Lines: 22 In article <3942@phri.UUCP> roy@phri.UUCP (Roy Smith) writes: >In <1064@accuvax.nwu.edu> phil@delta.eecs.nwu.edu (William LeFebvre) writes: >> When /bin/login knows it is processing a remote login, why can't it >> check the hostname against a list of "allowed" hosts? > > [ . . . ] > > Actually, I can find one problem with William's suggestion. Just >like people tend to pick poor passwords, I suspect many people would put >"*" in their .netaccess files, effectively defeating the whole idea. If many people would put "*" in their hypothetical .netaccess files (and I am certainly among those who would) then attempting to restrict network logins in such a way is not a good idea to begin with. Clearly, systems should be designed to facilitate peoples' preferred ways of working. It is better to have to occasionally find and deal with a bad guy than to cripple everyone just on the offhand chance that a bad guy might cause trouble. -- Mike Haertel``There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself.'' -- J. S. Bach