Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

rsh & disabling "rlogin"

897 views
Skip to first unread message

Django Reinhardt

unread,
Nov 28, 2001, 1:18:33 AM11/28/01
to
Dear folks,

Due to security reason we need to block the ability of direct telnet or
remote login using root account. Every system administrator has to use su
command to become root. But by disabling rlogin in /etc/security/user we
lose the ability of using rsh command. As we have many control scripts
running from a central administration server this cause lot of headaches.

Do you guys have any idea how to achieve a (hopefully) secure system
without losing rsh capability ? Is there some kind of tool to circumvent
this ?

Thanks for any help.


KKT

Uwe Auer

unread,
Nov 28, 2001, 4:38:11 AM11/28/01
to

Hi,

take a look into /etc/inetd.conf. You'll find two lines like


shell stream tcp6 nowait root /usr/sbin/rshd rshd
login stream tcp6 nowait root /usr/sbin/rlogind
rlogind


so try to comment out the "login" line and enable "rlogin" with the
user. This should work.


Regards,
Uwe Auer

Thierry Chenus

unread,
Nov 28, 2001, 10:49:35 AM11/28/01
to
Django Reinhardt wrote:

Unfortunately, if you disable remote login for root from
/etc/security/user, you won't be able to connect on your box directly
with root user. A solution could be to leave this open, then restrict
the access to the "inetd" daemon with for example tcp_wrappers. Then,
for security you should banned to use on "r" command and prefer the nice
features of ssh with for example the excellent OpenSSH version. You will
be able to do the same thing but with strong authentication and
encryption. Combined by tcp wrappers you can have a nice control of your
servers.

Thierry

Dale Talcott

unread,
Nov 28, 2001, 12:53:51 PM11/28/01
to
(Django Reinhardt) writes:

>Due to security reason we need to block the ability of direct telnet or
>remote login using root account. Every system administrator has to use su
>command to become root. But by disabling rlogin in /etc/security/user we
>lose the ability of using rsh command.

This does not appear to be the case on AIX 4.3.3. That is, even with
rlogin set false for root, you can still rsh in as root. I'm pretty
sure it's been this way since AIX 4.1.5, at least.

That is,

# rlogin host # fails
# rsh host # fails
# rsh host some_command # works

>Do you guys have any idea how to achieve a (hopefully) secure system
>without losing rsh capability ?

The dangers of rlogin are greatly exaggerated. With switched networks,
rather than simple hubs, smart routers, tcp_wrappers, and more secure
name servers, rlogin is not that big a risk.

Further, anything anyone could do via root rlogin, they can do via root
rsh. It's just that user rlogin followed by su gives a little more
indication of who goofed when something goes wrong.

Actually, in this instance, user rlogin + su is actually less secure.
That is, when the user su's, he must enter the root password, which
goes across the wire in plain text because he is using rlogin. So, you
should be using SSH (slogin) instead of rlogin everywhere*, starting
right at the device connected to the keyboard (e.g., your Mac, Windows,
Linux, or Unix workstation). Every remote connection from then on
should also use slogin. All it takes is one un-encrypted link in the
chain for root's password to leak out in the clear.

*There are products other than SSH that provide over-the-wire encryption,
including versions of telnet. SSH is just the most common.

--
Dale Talcott, Purdue University Computing Center
a...@quest.cc.purdue.edu http://quest.cc.purdue.edu/~aeh/

Nico Lammers

unread,
Nov 30, 2001, 2:47:45 PM11/30/01
to
Hi,

Use tcpwrapper, network contol by acces files /etc/hosts.deny and
/etc/hosts.allow

Nico Lammers
nico.l...@hccnet.nl


Django Reinhardt <grabow.@hotmail.com> schreef in berichtnieuws
grabow.-2811...@p0779.vwr.euronet.nl...

0 new messages