> Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'.
> The error reported is different.
>
> Therefore, it's possible to determine which account names are valid.
> This is an issue only for particularly paranoid sites that probably
> already have rshd disabled, but I thought it would be worth issuing a
> warning anyway.
The PAM version of Linux's rshd doesn't have this problem. Some of the
earlier ones did, but Red Hat 4.2 has this problem fixed.
I never sent the patches to David because they were PAM bugs, not
rshd bugs, and I never tested this against a non-PAM rshd (duh).
Erik
-------------------------------------------------------------------------------
| "Psychopaths kill for no reason: I kill for money." -- Grosse Pointe Blank |
| |
| Erik Troan = ewt@redhat.com = ewt@sunsite.unc.edu |