> Welcome to the club :-)
>
> You either have double password prompt and feel yourself safely
> or get rid of the second prompt and step on a shaky ground.
>
> If you are brave enough to go the latter way just add your
> terminal server name to /etc/hosts.equiv on your host and make
> sure your rlogind honors this file.
>
> You are now vulernable to spoofing attacks.
You are safe from spoofing if you block all traffic with a source of
your netblock(s) at your border router.
Also, it hard to spoof an entire TCP session setup. The spoofer can't
see the responses coming back from your server, so he/she needs to guess.
I don't see how you get very far into a session before you loose control.
> Question to Livingston:
>
> Are there any chance ComOS will support strong authentication
> in at least rlogin protocol? For example SSH-style RSA authentication?
> This would solve the double prompt puzzle and won't compromise
> host security the way the current solution does.
ssh logins require a lot of CPU power. I don't see ever happening,
except for the PM3 & the unannouced encryption daughter card.
Also there are copyright and licensing issues. This could be solved
with a PM3 daughter card, by including licensing costs when you buy the
hardware.
Tom