From bruner Mon Dec  4 14:20:39 1978
This is the letter I intended to write a long time ago and kept forgetting
to.  Some time in the distant past I suggested a couple of changes for the
"csh" program which you asked me to send to you in a letter.  This is that
letter.

I don't want to sound paranoid, but if "login" warns users of bad password
attempts, "csh" probably should too.  Otherwise, some knowlegable user could
write a C program to run "csh" continually until it found the right password
(perhaps out of a randomly-generated list) and the victim wouldn't have any
idea that someone was trying to break into his account.  It probably isn't
necessary to have "csh" update the login time for a successful password
entry, so the only delay this change would introduce would be noticed only
when a bad password was attempted (in which case, "csh" could just exec
"motd -" in on top of itself).

My other suggestion was aimed at the problem which we have that a special
restricted shell can be defeated by using "csh <host> -l <login> <pass> sh".
For example, last year we had a Santa letter writing contents, and the only
way to read Santa's mail was to login to "santa".  We couldn't do something
like that now, because anybody could get into "santa" using "csh" and wipe
out the mailbox.  (I don't know that this was such a good example, but it was
the first thing that came to mind.)  Anyway, my suggestion for this problem
was to have "csh" do a "stat" on some file (e.g. "csh_lock") in the login
directory the specified account just before executing its arguments.  It
has the login directory from /etc/6passwd anyway, and doing a "stat" on
a file in that directory shouldn't be too slow.  In addition, if it made
this check before looking at the password, then it wouldn't even allow
people to attempt passwords for restricted accounts using "csh".  By using
a file in the directory, then any user (e.g. Prof Mowle) could restrict
"csh" on his/her account to guard against "invasion" by someone else.

It has been my experience with "csh" that I use the "-l <login> <passwd>"
form only when necessary.  If that is true for the user population as a
whole, then these two suggestions shouldn't greatly affect the average
response of "csh" since they wouldn't apply to the default case (using
uid 13).

				--John Bruner


disconnect - back to <hostname>

con "read error" should say "disc" also
