Subject: rexecd does not log failed authentications
To: None <current-users@NetBSD.ORG>
From: VaX#n8 <>
List: current-users
Date: 06/25/1996 01:05:56
A while back I suggested an API for doing user authentications.

I may have found a few other good reasons just recently (than just
parameterizing your call to crypt and strcmp).

Like the title says, rexecd does not log failed authentications, allowing
a user to brute-force accounts until the cows come home.

Please, let's avoid discussion on r-protocols and how many are totally
insecure anyway and any reasonable sysadmin would disable them.
Personally, I question why they're in the default inetd.conf at all.
There is a serious window from when you install your machine to when
you know what you are doing; I would rather have them off by default.