Subject: rexecd does not log failed authentications
To: None <current-users@NetBSD.ORG>
From: VaX#n8 <vax@linkdead.paranoia.com>
List: current-users
Date: 06/25/1996 01:05:56
A while back I suggested an API for doing user authentications.
I may have found a few other good reasons just recently (than just
parameterizing your call to crypt and strcmp).
Like the title says, rexecd does not log failed authentications, allowing
a user to brute-force accounts until the cows come home.
Please, let's avoid discussion on r-protocols and how many are totally
insecure anyway and any reasonable sysadmin would disable them.
Personally, I question why they're in the default inetd.conf at all.
There is a serious window from when you install your machine to when
you know what you are doing; I would rather have them off by default.