Subject: Re: bin/620: security spoof possible with rlogin/telnet
To: None <>
From: Charles M. Hannum <>
List: netbsd-bugs
Date: 12/08/1994 04:47:47
	   no actual patch, but the best way would be to change telnetd
	   and rlogind (and any other program that exec's login with
	   an unchecked argv) so that if a username started with `-',
	   or contained any character that's illegal in a username,

I disagree.  The `right' solution is to put a `--' argument in before
the user name, so that it can never be interpreted as an option.

I did this in my merged (with 4.4-Lite) copy of libexec, but I haven't
gotten around to finishing that, yet.