- To: crompton@NADC.NADC.NAVY.MIL
- Subject: BBS login
- From: "Mike Bilow, email@example.com" <mikebw@IDS.JVNC.NET>
- Date: Sat, 18 Jan 1992 07:34:28 EST
Yes, any user name that NOS does not recognize is mapped to "anonymous"
and given that user's privileges if the user "anonymous" exists. This
has been a stated feature of PA0GRI code for some time, maybe seven or
eight versions ago. The user is also given a message at login on the
order of "Logging in as anonymous, restrictions apply."
I am not sure why this is a security problem. It really just helps in
the amateur world where those who are not in the know might not realize
that they have to be logged in as "anonymous." In fact, it is a definite
help to those who use the NOS mailbox to read personal mail, since they
would have to have an actual user/pass account or would read only mail
addressed to "anonymous."
Since we are on this, you should also be aware of a related security
feature which is not a bug. If there is a user who has sysop privileges,
that user can log in with an AX.25 or netrom connect and successfully
issue the sysop command. This allows remote sysop control in come cases
where it would not otherwise be possible. However, there is no request
for a password, since you are not going through telnet! The way to stop
this is to create only user with names longer than six characters to have
sysop privilege, since they can never login except by telnet.
As long as you know this, there are no security problems. I would rather
have anonymous users log in as something meaningful.