Subject: security/9673: inetd.conf has "login" and "shell" default on
To: None <>
From: Erik E. Fair <>
List: netbsd-bugs
Date: 03/25/2000 12:33:06
>Number:         9673
>Category:       security
>Synopsis:       inetd.conf has "login" and "shell" default on
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    security-officer (NetBSD Security Officer)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 25 12:33:00 2000
>Originator:     Erik E. Fair
International Organization of Internet Clock Watchers
>Release:        1.4.2
System: NetBSD 1.4.2_ALPHA NetBSD 1.4.2_ALPHA (DIGITAL) #10: Mon Jan 10 22:38:56 PST 2000 alpha

	/etc/inetd.conf as distributed by NetBSD has "login" (rlogin),
	and "shell" (rsh) services turned on by default.

	Given that the main authentication mechanism of these two protocols
	(.rhosts) is known to be weak, these should be off by default.