Evils of /.rhosts file
System Administrator
thinking that it just spreads your vulnerability. That is, if a host in
/.rhosts is compromised, then all machines that share that entry are
compromised.
Alternately way of asking the same question: If
aardvark.subnet.domain has badger.subnet.domain in it's /.rhost file,
how difficult is it for a machine outside of subnet.domain to spoof
aardvark into thinking that it's talking to badger?
Paul Phillips
> Alternately way of asking the same question: If
>aardvark.subnet.domain has badger.subnet.domain in it's /.rhost file,
>how difficult is it for a machine outside of subnet.domain to spoof
>aardvark into thinking that it's talking to badger?
Totally depends on your setup. If you have a screening router that
drops packets headed into your subnet that have an internal source
address, it's very hard. If you don't, but have some other mechanism
that makes an effort to verify the souce of packets, difficulty varies.
If you make no effort, it's still hard, but it's sure been done before.
-PSP
--
"Obviously unlike you people, I don't have time to edit the newsgroups
line for every single article I post."
-- Mark Lindner
alt.folklore.computers
James Seymour
>thinking that it just spreads your vulnerability. That is, if a host in
>/.rhosts is compromised, then all machines that share that entry are
>compromised.
So far as I'm aware, from my studies, the latter. But isn't
that bad enough? Should individual users be determining
inter-machine security issues? By that I mean: if the
SysAdmin of a certain machine has determined that another
machine is not to be trusted (as evidenced by the lack of it
being in /etc/hosts.equiv), should individual users be
allowed to contravene that decision? Most advice *I've*
read on system and network security is: no. And that is the
stance we take.
>
> Alternately way of asking the same question: If
>aardvark.subnet.domain has badger.subnet.domain in it's /.rhost file,
>how difficult is it for a machine outside of subnet.domain to spoof
>aardvark into thinking that it's talking to badger?
>
As mentioned by someone else: real difficult, if a capable
and properly-configured router is placed between subnet.domain
and the rest of the world.
Regards,
Jim
--
Jim Seymour | Medar, Inc.
Systems & Network Maintenance Drone | 38700 Grand River Ave.
...uunet!medar!jseymour | Farmington Hills, MI. 48335-1563
jsey...@medar.com | FAX: (810)477-8897
Adrian Colley
(System Administrator) writes:
> If
>aardvark.subnet.domain has badger.subnet.domain in it's /.rhost file,
>how difficult is it for a machine outside of subnet.domain to spoof
>aardvark into thinking that it's talking to badger?
If you have a filtering router connecting subnet.domain, you won't get
spoofing from outside (assuming the router is set up correctly). If
you don't, then you definitely are vulnerable, even if the attacker
can't see the replies.
Since your /.rhosts names badger, you may be vulnerable to a DNS attack
(I don't know much about these).
You also spread the risk by depending on the integrity of the other
machines inside the filtered subnet.
So, if some latter-day RTM designed a worm which exploited IP or DNS
spoofing and managed to break into a machine in subnet.domain, you'd be
quite vulnerable. Life is hard.
Oh yes, you also effectively inherit the /.rhosts entries on badger and
others, and on the machines named in badger's /.rhosts, and so on until
you reach transitive closure.
Hope this helps. Have a nice day.
--
/ Adrian Colley, Student Computing Research Group, TCD. \
| email: <aeco...@scrg.cs.tcd.ie> vocalnet: (+353-1-)6606239 |
| "Only Microsoft Corp. can spit in software vendor's eyes." |
\ -- Marc Dodge (mdo...@radiomail.net) /