>
>I believe this was intentional; the authors of the code (CSRG, i
>assume, maybe a contributor to them) wanted to allow rsh's, but _did
>not_ want to allow remote logins automatically via .rhosts.  (At
>least, that's the way i heard it, last time i asked.)
>
>I'm not sure of the merit in this; it's security through (little)
>obscurity, at best.  any reasonable cracker knows how to go
>'fish'ing...  8-)
>
Any qualms about adding that 'unsecure' option to the code, or is NetBSD
trying to stay as BSD 4.4'ish as possible?  Probably the right way to do it is,
if the user is coming in as root, to send an entry to syslog right before the
call to iruserok saying something like "Hey somebody is trying to rlogin in as
root from <address>", or something like that.  I totally agree about the false
security about this.  I mean you can't rlogin as root, but rsh "setenv
<host>:0.0; /usr/X11R6/bin/xterm &" works just fine.  Unfortunately, that won't
work for us in all cases, since we do work from vt100 emulation at times.

Thanks,
--brian