Date: Sat, 16 Nov 96 15:47:50 -0500 From: curt@kcwc.com (Curt Welch) To: questions@FreeBSD.org Cc: Jeremy Sigmon <jsigmon@www.hsc.wvu.edu> Subject: Re: Does RSH ignore ttys if .rhost present? Message-ID: <9611162047.AA02254@mail.kcwc.com>
next in thread | raw e-mail | index | archive | help
On Fri, 15 Nov 1996, Jeremy Sigmon wrote: > I thought that if a .rhosts file was present then the ttys file > was ignored. I have a .rhosts file in ~root , but I cannot rsh > to it. Works fine with non root. If it does not ignore ttys does > anyone know how to get it to do so if one exists? > thanks That is true. Make sure the ~root/.rhosts file is owned by root and not writeable by anybody else. It's also good practice to make it non readable by anybody but root as well. Doug wrote: > Somebody correct me on this, but doesn't this allow the > root user on the remote machine to gain root access to > your machine? That doesn't sound like a great idea. It is a security issue. It's usally only done when both machines are your machine, and both machines are on a trusted network (i.e. no untrusted or unsecure machines on the same subnet). The security is by name and IP address, so any machine with the same ip address could spoof your trusted machine. But this can only work when your machine is down and if the spoofing machine is on the same subnet as the trusted machine. If your machine was running, dup ip address errors would start showing up along with all sorts of other network problems. A remote machine on the Internet can set up their DNS server to say that their name is the same as your local machine, but rshd checks for this (for local trused machines or if the -a option is used) by doing a name lookup to verify that the name and ip match. This can not be spoofed as far as I know. As pointed out in other messages, if all you need to do is run shutdown, then maybe setting up a special account might be a safer way to go. > What program are you trying to run though rsh? Remember > it actually logs in as root, so if the port isn't secure > then it won't be permitted. This isn't true. If you do an rlogin, (or rsh with no comand which does an rlogin instead of an rsh) then this is true. But a plain rsh doesn't require you to make your ttys secure. For that matter, rsh doesn't even use ttys. Curt Welch curt@kcwc.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9611162047.AA02254>