From owner-freebsd-bugs Sat Nov 23 08:30:14 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA01542 for bugs-outgoing; Sat, 23 Nov 1996 08:30:14 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA01534; Sat, 23 Nov 1996 08:30:08 -0800 (PST) Date: Sat, 23 Nov 1996 08:30:08 -0800 (PST) Message-Id: <199611231630.IAA01534@freefall.freebsd.org> To: freebsd-bugs Cc: From: Skip Watson Subject: Re: bin/2092: rlogind not using passwords Reply-To: Skip Watson Sender: owner-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The following reply was made to PR bin/2092; it has been noted by GNATS. From: Skip Watson To: Poul-Henning Kamp Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/2092: rlogind not using passwords Date: Sat, 23 Nov 1996 11:20:16 -0500 (EST) On Sat, 23 Nov 1996, Poul-Henning Kamp wrote: > >>How-To-Repeat: > > > > It happens all of the time. There's nothing special that needs to be > >done. > > Please take a peek in the manpage for ruserok() and see if you didn't > overlook something... From the man page (but you know this ;-)). ------------ The iruserok() and ruserok() functions take a remote host's IP address or name, as returned by the gethostbyname(3) routines, two user names and a flag indicating whether the local user's name is that of the super-user. Then, if the user is NOT the super-user, it checks the /etc/hosts.equiv file. If that lookup is not done, or is unsuccessful, the .rhosts in the local user's home directory is checked to see if the request for service is allowed. If this file does not exist, is not a regular file, is owned by anyone other than the user or the super-user, or is writeable by anyone other than the owner, the check automatically fails. Zero is returned if the machine name is listed in the ``hosts.equiv'' file, or the host and re- mote user name are found in the ``.rhosts'' file; otherwise iruserok() and ruserok() return -1. If the local domain (as obtained from gethostname(2)) is the same as the remote domain, only the machine name need be specified. ----------- The user is not the super-user. The remote site is not in /etc/hosts.equiv and the user has no .rhosts file. It should fail. I'm not a programmer so I can't go in and check things :-(. I did install tcp_wrapper to see if that made any difference. For what it is worth, it didn't. Skip -- Auldhaefen Online Services automated info: info@aldhfn.org 330 745-9380 voice questions: support@aldhfn.org 330 753-8791 bbs/fax person: ciaran@aldhfn.org 330 745-7624 data WWW: http://www.ald.net