Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!unmvax!indri!nic.MR.NET!thor.acc.stolaf.edu!mike
From: mike@thor.acc.stolaf.edu (Mike Haertel)
Newsgroups: comp.unix.wizards
Subject: Re: Unix network security (was "CERT Internet Security Advisory")
Message-ID: <4614@thor.acc.stolaf.edu>
Date: 18 Aug 89 06:40:06 GMT
References: <3855@fy.sei.cmu.edu> <1064@accuvax.nwu.edu> <3942@phri.UUCP>
Reply-To: mike@thor.stolaf.edu (Mike Haertel)
Organization: St. Olaf College, Northfield, MN
Lines: 22

In article <3942@phri.UUCP> roy@phri.UUCP (Roy Smith) writes:
>In <1064@accuvax.nwu.edu> phil@delta.eecs.nwu.edu (William LeFebvre) writes:
>> When /bin/login knows it is processing a remote login, why can't it
>> check the hostname against a list of "allowed" hosts?
>
> [ . . . ]
>
>	Actually, I can find one problem with William's suggestion.  Just
>like people tend to pick poor passwords, I suspect many people would put
>"*" in their .netaccess files, effectively defeating the whole idea.

If many people would put "*" in their hypothetical .netaccess files
(and I am certainly among those who would) then attempting to restrict
network logins in such a way is not a good idea to begin with.  Clearly,
systems should be designed to facilitate peoples' preferred ways of
working.  It is better to have to occasionally find and deal with a bad
guy than to cripple everyone just on the offhand chance that a bad guy
might cause trouble.
-- 
Mike Haertel 
``There's nothing remarkable about it.  All one has to do is hit the right
  keys at the right time and the instrument plays itself.'' -- J. S. Bach