Summary: Preventing users from rsh'ing

From: Freedman, Dan (Dan.Freedman@GSC.GTE.Com)
Date: Thu Jan 29 1998 - 13:11:48 CST


Thanks for all the responses. My original question:
Hello,

Was wondering if anyone might know of a way to prevent users from using
rsh to execute programs on remote machines. If a user places a "+ user"
line in his .rhosts file, how can I override this? We are using NIS+
(Solaris 2.4) and all home accounts are automounted on all machines upon
login.

I have tried modifying and removing the hosts.equiv file on the remote
machine. This does not help if the user has a .rhosts file. I have
also tried to restrict access inside the hosts.equiv by using -@hosts
...no luck. In fact the Solaris admin books I have read say the only
way to prevent users from doing this is to periodically remove users
.rhosts files. Yuck. This seems kind of ridiculous because they only
have to recreate them to start rsh'ing again. Anyone know of some
clever way to address this problem?

***********
Solution:

A few responses gave me just the solution I was looking for. Simply put
a .rhosts file in each users directory owned by root with 000
permission. This works great because I can give rsh access to specific
machines via the hosts.equiv file.

Other solutions included disabling rexecd via modifications to
inetd.conf. Also some suggested I get my hands on the source for rsh
and remove the .rhost references from it.

Thanks for the responses,
Dan Freedman



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:30 CDT