SUMMARY rlogind security problem

From: Marc Hansen (
Date: Mon Nov 16 1998 - 10:02:24 CST

Thanks for all the help.

As many people pointed out, the behavior I described is both expected and
documented in the man page of hosts.equiv.

I thought Casper Dik explained the behavior best with these words:

    "You should read /etc/hosts.equiv as something that is prepended
     to every .rhosts file. [If the host aegean's /etc/hosts.equiv contains:]

          peri mhansen

     This line in the /etc/hosts.equiv file means:
         mhansen@peri is allowed to log in to aegean as *any* other user.

     That's because everybody's (except root's) .rhost file now starts with:

          peri mhansen

     This is how /etc/hosts.equiv has always worked."

It seems the overwhelming recommendation is to use ssh instead. I have
used ssh on our web site for two years. I have found it to be stable and it
has exactly the same user syntax as rsh and rlogin. I was just hoping that
I wouldn't need to install it on every other system in the organization.
See the following for ssh info:


>Sun Managers:
>We seem to have found an interesting security problem with in.rlogind. If
>/etc/hosts.equiv lists a specific host and a specific user then that user is
>allowed to change uid at will using rlogin -l. I get this behavior on
>Solaris 2.6. I am certain that I did not have this behavior on SunOS 4.1.3
>but I no longer have any machines to test it with. I have also tested the
>same situation with HP-UX 10.20 and do not have the problem there.
>Yes I know rsh/rlogin isn't that secure, but I always thought my risk was
>limited to attack from people with considerable technical knowledge. Since
>this network is only accessible from inside our building I wasn't too
>worried, until now. Actually I don't need rlogin at all, its rsh that we
>really use.
>First, I thought others should be aware of the security problem. IMHO this
>is a bug. Users should not be allowed to change UID without a password. I
>have opened a service call with Sun. Second, I was wondering if others get
>this behavior and/or have fixed the problem. One solution is to leave the
>second field in /etc/hosts.equiv blank, but then I have opened rsh/rlogin to
>every user from the specified host. At the moment this seems like the lesser
>Of course I will summarize.
>Example 1
>{root@aegean:1} cat /etc/hosts.equiv
>peri mhansen
>{mhansen@peri:1} rlogin -l igrant aegean
>Last login: Thu Nov 12 11:14:10 from
>Example 2
>{root@aegean:3} cat /etc/hosts.equiv
>{mhansen@peri:2} rlogin -l igrant aegean
>Login incorrect
>BTW, there are no ~/.rhosts files on the host aegean


This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:52 CDT