[Gllug] rlogin argument
Jonathan Dye
jonathan.dye at automationpartnership.com
Wed Sep 19 10:46:41 UTC 2001
At 12:58 19/09/01 +0100, you wrote:
>Am I misunderstanding the security implications of rlogin?
yes
>My understanding was :
>
>two boxes (ALPHA + BETA), say UNIX type OSes with the same account FRED on
both. Different passwords, no connections restrictions, rlogin daemon is
running.
>
>ALPHA : rlogin BETA
>Welcome to BETA
>
>No password required to rlogin to the BETA box.
>
>Well I tried this from Solaris 2.6 to HP-UX 10.11 (I think) and the box I
was going to asked for a password. We even set the accounts to have the
same password on both boxes and it still asked for a password.
>
>Have HP (or any others) cleaned up the 'r' commands in some way - I've
been preaching that all 'r' commands are evil but if we are asked for a
password from box to box what is the problem (besides clear text going over
the network)???
Rlogin allows you to login to the remote machine without a password if the
user has set up a .rlogin file in their home directory. The .rlogin file
contains entries saying which users from which machines can login. So the
usernames don't even have to be the same. The problem with this is that
once you are into one machine you can rlogin to all the others without a
password. I think it may be possible to spoof it too but I'm not sure. If
there are no .rlogin files then it acts like telnet.
JD
>Matt
>
>
>
>
>
>_______________________________________________________________________
>FSmail - Get your free web-based email from Freeserve: www.fsmail.net
>
>
>
>
>
>--
>Gllug mailing list - Gllug at linux.co.uk
>http://list.ftech.net/mailman/listinfo/gllug
>
>_____________________________________________________________________
>This message has been checked for all known viruses by the TAP
>MessageLabs Virus Scanning Service. For more information speak to the IT
Helpdesk.
>
>
_____________________________________________________________________
This message has been checked for all known viruses by the
MessageLabs Virus Scanning Service
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list