LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/nag/node177.html

52 lines
2.2 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<!--Converted with LaTeX2HTML 96.1-c (Feb 29, 1996) by Nikos Drakos (nikos@cbl.leeds.ac.uk), CBLU, University of Leeds -->
<HTML>
<HEAD>
<TITLE>Protecting Yourself Against Swindlers</TITLE>
</HEAD>
<BODY LANG="EN">
<A HREF="node1.html"><IMG WIDTH=65 HEIGHT=24 ALIGN=BOTTOM ALT="contents" SRC="contents_motif.gif"></A> <BR>
<B> Next:</B> <A HREF="node178.html">Be Paranoid-- Call Sequence </A>
<B>Up:</B> <A HREF="node174.html">Setting up your System </A>
<B> Previous:</B> <A HREF="node176.html">Providing UUCP Accounts</A>
<BR> <P>
<H2><A NAME="SECTION0014530000">Protecting Yourself Against Swindlers</A></H2>
<P>
uucp.security.called-loginProtecting Yourself Against Swindlers
<A NAME="6390"></A>
<A NAME="6391"></A>
<P>
One of the biggest problems about UUCP is that the calling system
can lie about its name; it announces its name to the called system after
logging in, but the server doesn't have a way to check this. Thus, an
attacker could log into his or her own UUCP account, pretend to be
someone else, and pick up that other site's mail. This is particularly
troublesome if you offer login via anonymous UUCP, where the password is
made public.
<P>
Unless you know you can trust all sites that call your system to be honest,
you <em>must</em> guard against this sort of impostors. The cure against
this disease is to require each system to use a particular login name
by specifying a called-login in sys. A sample system entry
may look like this:
<P>
<P><P>
<P>
The upshot of this is that whenever a system logs in and pretends it is
pablo, uucico will check whether it has logged in as
Upablo. If it hasn't, the calling system will be turned down, and
the connection is dropped. You should make it a habit to add the
called-login command to every system entry you add to your
sys file. It is important that you do this for <em>all</em> systems,
regardless of whether they will ever call your site or not. For those sites
that never call you, you should probably set called-login to some
totally bogus user name, such as neverlogsin.
<P>
<BR> <HR>
<P><ADDRESS>
<I>Andrew Anderson <BR>
Thu Mar 7 23:22:06 EST 1996</I>
</ADDRESS>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink