[Gllug] rlogin argument
Kieran Barry
kieran at esperi.demon.co.uk
Wed Sep 19 18:02:20 UTC 2001
On Wed, 19 Sep 2001, Jonathan Dye wrote:
> At 12:58 19/09/01 +0100, you wrote:
> >Am I misunderstanding the security implications of rlogin?
> yes
>
> >My understanding was :
> >
> >two boxes (ALPHA + BETA), say UNIX type OSes with the same account FRED on
> both. Different passwords, no connections restrictions, rlogin daemon is
> running.
> >
> >ALPHA : rlogin BETA
> >Welcome to BETA
> >
> >No password required to rlogin to the BETA box.
> >
> >Well I tried this from Solaris 2.6 to HP-UX 10.11 (I think) and the box I
> was going to asked for a password. We even set the accounts to have the
> same password on both boxes and it still asked for a password.
> >
> >Have HP (or any others) cleaned up the 'r' commands in some way - I've
> been preaching that all 'r' commands are evil but if we are asked for a
> password from box to box what is the problem (besides clear text going over
> the network)???
> Rlogin allows you to login to the remote machine without a password if the
> user has set up a .rlogin file in their home directory. The .rlogin file
> contains entries saying which users from which machines can login. So the
> usernames don't even have to be the same. The problem with this is that
> once you are into one machine you can rlogin to all the others without a
> password. I think it may be possible to spoof it too but I'm not sure. If
> there are no .rlogin files then it acts like telnet.
>
One small point: the file in question is .rhosts, not .rlogin
And an adendum: if you trust every user on a particular box, you can
stick the FQDN in /etc/hosts.equiv to allow password-less access to the
same account on "this" box.
I hope that you won't use this, except to check that I'm right...
Regards
Kieran
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list