While this makes sense, it is the opposite of the case for which that feature
was intended- since the PM can't know what constitutes a prefix/suffix, the
only way to change the name passed to the host would be to have the server
send back to the PM the actual username-
The security implications of this aren't as bad as they seem at first glance-
If a hacker can change the 'users' file and/or simulate the radius server's
response, changing the user name has no additional security breach, though
it does provide additional prank value :-)
> The problem is that the portmaster passes the entire login string -
> including the suffix - to the host. This makes rlogin impossible,
> and somewhat defeats the purpose of using suffixes.
...
> The only other solution I can think of is to replace Solaris's
> rlogind with one for which the source code is publicly available,
> and then hacking around in there.
Of course, with the known holes in rlogind and the like, there are other
advantages to replacing login and rlogind with one compiled from your own
sources. But you still have to know in advance what the prefix/suffixes are
in order to strip them off the name...