[24] in bugtraq
Re: r commands
daemon@ATHENA.MIT.EDU (Fred Kuhns)
Tue Oct 18 12:03:11 1994
From: Fred Kuhns <Fred_Kuhns@npg.wustl.edu>
To: bugtraq@crimelab.com
Date: Tue, 18 Oct 1994 08:51:15 -0500 (CDT)
In-Reply-To: <9410172257.AA15020@dfw.net> from "Aleph One" at Oct 17, 94 05:57:49 pm
Aleph One writes:
>
>
> Well guess i'll just pitch in my two cents in. If you dont allow
> users to set up their own .rhosts files, or you dissable them
> compleately. Then you loose what makes the r commands so wanted
> by people.... transparency. They like them because they dont have
Agreed.
> to type a user name and passwd to log into other machines. Now if
> this dissapears then rlogin is a beefed up telnet. Therefore you must
> a) Allow you users to use them and simply drop all incoming packets
> to any ports where the r deamons hang at the router. or b) dont allow
> them at all.
c) get the source (like logdaemon from Wietse Venema or BSD sources) and
modify. For example disallow .rhosts but allow the use of hosts.equiv,
this way a set of trusted hosts can be defined which allow the r-commands
to do their thing. It would also be a good idea to ensure common/unique
user and group ideas across all trusted hosts - logdaemon does this.
Alternatively, define a set of users and host pairs which will be
allowed unauthenticated access and have the r-commands check this acl.
fred