Path: utzoo!attcan!uunet!cs.utexas.edu!csd4.csd.uwm.edu!bionet!sdsu!usc!henry.jpl.nasa.gov!elroy.jpl.nasa.gov!mahendo!wlbr!WLV.IMSD.CONTEL.COM!sms From: sms@WLV.IMSD.CONTEL.COM (Steven M. Schultz) Newsgroups: comp.unix.wizards Subject: Re: Unix network security (was "CERT Internet Security Advisory") Message-ID: <35131@wlbr.IMSD.CONTEL.COM> Date: 18 Aug 89 05:37:38 GMT References: <3855@fy.sei.cmu.edu> <1064@accuvax.nwu.edu> <3942@phri.UUCP> Sender: news@wlbr.IMSD.CONTEL.COM Reply-To: sms@WLV.IMSD.CONTEL.COM.UUCP (Steven M. Schultz) Organization: Contel Federal Systems Lines: 16 In article <3942@phri.UUCP> roy@phri.UUCP (Roy Smith) writes: >In <1064@accuvax.nwu.edu> phil@delta.eecs.nwu.edu (William LeFebvre) writes: >> When /bin/login knows it is processing a remote login, why can't it >> check the hostname against a list of "allowed" hosts? > > Actually, I can find one problem with William's suggestion. Just >like people tend to pick poor passwords, I suspect many people would put >"*" in their .netaccess files, effectively defeating the whole idea. How about inverting the meaning of ".netaccess"? By this i mean making it a list of hosts/addresses to be rejected. There have been times when it would be desireable to let connections from all systems except a list of bad/undesireables. Steven M. Schultz sms@wlv.imsd.contel.com