Folks, The login binary in the beta distribution of alpha_osf1 for OSF1 V1.3 has a security problem. If you enter the end-of-file character (Ctrl-D) in response to the "login:" prompt generated by a remote login program, you will be logged in without the need for a password. This problem is evident with all remote commands that pass a userid to the login program (rsh, rlogin, some versions of telnet including the OSF1 version, etc). The superuser's account may be compromised in this manner. The corrected login and login.krb binaries can be found in the AFS beta product release tree: /afs/transarc.com/product/afs/beta_port/alpha_osf1/bin/ Please contact your AFS Product Support Representative if you do not have access to the Transarc cell. Bapi Buddhavarapu Product Engineer Transarc Corporation
