James Bonfield wrote: > A typical spoof would be: > > rlogin targethost -l -htargethost > > Then type in the user and password. It'll then appear to last, who and > probably finger, on targethost that the user has logged in from that system, > not from remotely. > > This bug occurs on several systems, such as DEC OSF/1 V3.0 and Concentrix 2.1. > I have tried Solaris 2.3 and SunOS 4.1 which both appear to be safe from this > at first glance. (We haven't got a newer SunOS 4.x unfortunately! So I've done > no tests on 4.1.3U1.) I expect most other systems are safe too. Both 4.1.3_U1 and AIX 3.2.5 appear to be safe ...