rsh ~/.rhosts file
On UNIX users can have their personal .rhosts files which lists users that are allowed to login into the account, in the form: silver:~->2% cat .rhosts + michaelg + foobar And it works as advertised on every UNIX that I tried (Solaris, IRIX). However it looks like on Linux the behaviour is different: putting usernames into .rhosts makes no effect, but putting hostnames _does_! Why is the difference? Anyone? -- Warm regards, Michael Green *^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* Assistant Unix Admin Division of Information Systems Weizmann Institute of Science Rechovot 76100, Israel Tel.: 972-8-9344216 Fax.: 972-8-9344102 Cel.: 972-52-3638926 *^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
RE: rsh ~/.rhosts file
You cannot use "+" instead of hostname in linux. Rgds, Vitaly -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Green Sent: Sunday, March 27, 2005 10:37 AM To: ilug Subject: rsh ~/.rhosts file On UNIX users can have their personal .rhosts files which lists users that are allowed to login into the account, in the form: silver:~->2% cat .rhosts + michaelg + foobar And it works as advertised on every UNIX that I tried (Solaris, IRIX). However it looks like on Linux the behaviour is different: putting usernames into .rhosts makes no effect, but putting hostnames _does_! Why is the difference? Anyone? -- Warm regards, Michael Green *^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* Assistant Unix Admin Division of Information Systems Weizmann Institute of Science Rechovot 76100, Israel Tel.: 972-8-9344216 Fax.: 972-8-9344102 Cel.: 972-52-3638926 *^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] *** Information contained in this email message is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the [EMAIL PROTECTED] and destroy the original message. *** To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: rsh ~/.rhosts file
Michael Green wrote: On UNIX users can have their personal .rhosts files which lists users that are allowed to login into the account, in the form: silver:~->2% cat .rhosts + michaelg + foobar First, let me state what should, by now, be obvious to anyone. Using rshost is a security hole. it is fairly easy to bypass, and specifying only usernames mean that anyone with a laptop on your network can get into the account. It is much (and by that I mean MUCH MUCH MUCH) better to use ssh's equivalent, which authenticate using cryptographic keys, and does not allow an intruder to get in so easily. And it works as advertised on every UNIX that I tried (Solaris, IRIX). However it looks like on Linux the behaviour is different: putting usernames into .rhosts makes no effect, but putting hostnames _does_! There are two possible reasons for this. The first, and the less likely one, is that a global hosts.deny (or whatever the rsh equivalent is) is stopping this. Check it out. The second, more likely, is that the ident service is not running. rsh uses ident to find out which user is the one initiating the connection. If a Linux machine is not running ident, rsh won't be able to get the user name, and user based authentication will not work. Why is the difference? Anyone? Please do consider dropping this outdated mechanism in favor of better, more secure, ones. Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: rsh ~/.rhosts file
On Sun, 27 Mar 2005 10:58:31 +0200, Shachar Shemesh <[EMAIL PROTECTED]> wrote: > First, let me state what should, by now, be obvious to anyone. Using > rshost is a security hole. Shachar, you make very valid points here. Thank you. In fact I realize very well (I hope I do) all the risks involved in using rsh/rlogin/telnet mechanism. However our users insist on using rsh instead of ssh for various reasons (conservatism being of them). And I'm not in the position to fight their weak security practices. I'm here to help them with whatever they need and if they need rsh to be more productive (one of their agruments) - so be it. > There are two possible reasons for this. The first, and the less likely > one, is that a global hosts.deny (or whatever the rsh equivalent is) is > stopping this. Check it out. > No file like these. Two file related to rsh that I see on the system are: /etc/hosts.equiv /root/.rhosts > The second, more likely, is that the ident service is not running. it does, because I'm able to rsh into the machine from those hosts listed in hosts.equiv. It is my understanding that if identd/xinetd were not up I wouldn't be able to rsh from anywhere, right? -- Warm regards, Michael Green *^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* Assistant Unix Admin Division of Information Systems Weizmann Institute of Science Rechovot 76100, Israel Tel.: 972-8-9344216 Fax.: 972-8-9344102 Cel.: 972-52-3638926 *^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: rsh ~/.rhosts file
Michael Green wrote: I'm here to help them with whatever they need and if they need rsh to be more productive (one of their agruments) - so be it. Well, I'll just say this, and then drop the subject. The main reason people usually use rhosts is to allow login without entering a password. SSH gives you that with public-key authentication. As far as end user experience goes, it is percisely the same, only replacing "rsh" with "ssh". Even the command line remains the same. No file like these. Two file related to rsh that I see on the system are: /etc/hosts.equiv /root/.rhosts Sorry I couldn't help more. I don't know rsh very well, as you may have gathered :-). Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: rsh ~/.rhosts file
On Sun, 27 Mar 2005 10:54:38 +0200, Karasik, Vitaly <[EMAIL PROTECTED]> wrote: > You cannot use "+" instead of hostname in linux. that did it! thanks! -- Warm regards, Michael Green *^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* Assistant Unix Admin Division of Information Systems Weizmann Institute of Science Rechovot 76100, Israel Tel.: 972-8-9344216 Fax.: 972-8-9344102 Cel.: 972-52-3638926 *^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: rsh ~/.rhosts file
On Sun, Mar 27, 2005 at 11:24:01AM +0200, Michael Green wrote: > On Sun, 27 Mar 2005 10:58:31 +0200, Shachar Shemesh > <[EMAIL PROTECTED]> wrote: > > > First, let me state what should, by now, be obvious to anyone. Using > > rshost is a security hole. > > Shachar, you make very valid points here. Thank you. > In fact I realize very well (I hope I do) all the risks involved in > using rsh/rlogin/telnet mechanism. > However our users insist on using rsh instead of ssh for various > reasons (conservatism being of them). > And I'm not in the position to > fight their weak security practices. I'm here to help them with > whatever they need and if they need rsh to be more productive (one of > their agruments) - so be it. What exactly are the atvantages of rsh over ssh? Besides the obvious ones: * slightly lower cpu usage * (slightly?) lower bandwidth usage for file transfers * The client's code is smaller, in case you're very stressed with disk space Besides those points, I can hardly find anything rsh can do and ssh can't. And yes: ssh supports ~/.rhosts , if you'll force it. In fact, when I was looking for reference on ~/.rhosts file a couple of years ago on a redhat workstation, I only found it documented in ssh's docs. rcp's behaviour is horrible. Even worse than scp. And generally the r-progras lack verbosity in case of trouble. So do them a favour and make them use ssh. It is really for their own good. replace rsh with a symlink to ssh if you have to ;-) > > The second, more likely, is that the ident service is not running. > > it does, because I'm able to rsh into the machine from those hosts > listed in hosts.equiv. It is my understanding that if identd/xinetd > were not up I wouldn't be able to rsh from anywhere, right? Right. netstat -lntp | grep 51 -- Tzafrir Cohen | New signature for new address and | VIM is http://tzafrir.org.il | new homepage | a Mutt's [EMAIL PROTECTED] || best ICQ# 16849755 | Space reserved for other protocols | friend = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: rsh ~/.rhosts file
Guys, I'd really want to stop this discussion. I've got the answer I was looking for. Thank you for that (Vitaly)! I'm not in the mood to discuss here Weizmann's computing choices. I'm really sorry it got down to this. Thank you, Michael On Sun, 27 Mar 2005 22:50:31 +0200, Tzafrir Cohen <[EMAIL PROTECTED]> wrote: > On Sun, Mar 27, 2005 at 11:24:01AM +0200, Michael Green wrote: > > On Sun, 27 Mar 2005 10:58:31 +0200, Shachar Shemesh > > <[EMAIL PROTECTED]> wrote: > > > > > First, let me state what should, by now, be obvious to anyone. Using > > > rshost is a security hole. > > > > Shachar, you make very valid points here. Thank you. > > In fact I realize very well (I hope I do) all the risks involved in > > using rsh/rlogin/telnet mechanism. > > However our users insist on using rsh instead of ssh for various > > reasons (conservatism being of them). > > And I'm not in the position to > > fight their weak security practices. I'm here to help them with > > whatever they need and if they need rsh to be more productive (one of > > their agruments) - so be it. > > What exactly are the atvantages of rsh over ssh? > > Besides the obvious ones: > > * slightly lower cpu usage > * (slightly?) lower bandwidth usage for file transfers > * The client's code is smaller, in case you're very stressed with disk > space > > Besides those points, I can hardly find anything rsh can do and ssh > can't. And yes: ssh supports ~/.rhosts , if you'll force it. In fact, > when I was looking for reference on ~/.rhosts file a couple of years ago > on a redhat workstation, I only found it documented in ssh's docs. > > rcp's behaviour is horrible. Even worse than scp. And generally the > r-progras lack verbosity in case of trouble. > > So do them a favour and make them use ssh. It is really for their own > good. replace rsh with a symlink to ssh if you have to ;-) > > > > The second, more likely, is that the ident service is not running. > > > > it does, because I'm able to rsh into the machine from those hosts > > listed in hosts.equiv. It is my understanding that if identd/xinetd > > were not up I wouldn't be able to rsh from anywhere, right? > > Right. > > netstat -lntp | grep 51 > > -- > Tzafrir Cohen | New signature for new address and | VIM is > http://tzafrir.org.il | new homepage | a Mutt's > [EMAIL PROTECTED] || best > ICQ# 16849755 | Space reserved for other protocols | friend > > = > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > > = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
