Jochen Bauer wrote: > On Wed, 26 Nov 1997 Eric Augustus (augustusat_private) posted a message > on BUGTRAQ about the fact, that the default Xaccess file allows XDMCP > connections from any host. As you know, this can be used to get a > login screen on any host and therefore get around access control > mechanisms like tcpwrapper and root login restriction to the console. I'm not sure if I have understood your considerations. The intruder still needs an account on the local host, so it is as insecure as allowing telnet access to your host. Or not? However, I agree that XDMCP should be restricted to the local LAN by default. Tcpwrappers are no major security improvement. It's just a little bit restictive. You'll still have to manually add host that you permit or deny access to your services. The paranoid flag does not keep hackers off of your host but people who are beaten with dumb admins who don't care about reverse DNS. Regards, Joey -- GNU does not eliminate all the world's problems, only some of them. -- The GNU Manifesto
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:16 PDT