All respondents suggested against allowing .rhosts in user's home. Reasons were:
o Anyone can masquerade username to gain access from any host if they can
defeat firewall.
o Even if + is replaced by hostname/IP address, hackers can masquerade
hostname/IP.
o You don't have to be root to cause trouble. You can fillup certain
filesystems, invoke bogus processes, etc.
o Once in, hackers can find enough weaknesses to gain superuser access on
your system.
To overcome that, most of the respondents suggested using 'ssh' which can be
found at:
ftp://ftp.cs.hut.fi/pub/ssh/ssh-1.2.25.tar.gz
ftp://ftp.gw.com/pub/unix/ssh
http://www.sdsc.edu/projects/ssh/ssh.html (Info)
http://www.npaci.edu/Security (Info)
http://www.ssh.net
http://www.ssh.org
http://www.npaci.edu/Security
Thanks to the following for their quick and comprehensive responses:
David Foster <foster@dim.ucsd.edu>
Duncan Phillips <dphillip@halfdome.acs.uci.edu>
James Mularadelis <james.mularadelis@bms.com>
"Boyko, Steve" <SBoyko@nbpower.com>
Shawn Kondel <shawnk@sunfs.math.usu.edu>
Todd Jensen <jensen@erim-int.com>
Adam and Christine Levin <levins@westnet.com>
Daniel Muino <dmuino@afip.gov.ar>
gabriel rosenkoetter <gr@cs.swarthmore.edu>
Carlo Musante <carlo@ucomm.wayne.edu>
"Salehi, Michael E" <Mike.Salehi@usa.xerox.com>
"Edwards Philip M Ctr AFRL/SNRR" <Philip.Edwards@sn.wpafb.af.mil>
Jon Bernard <jbber@src.uchicago.edu>
"Timothy Lindgren" <Timothy_Lindgren@enron.com>
daniel.polombo@detexis.thomson-csf.com
"Reichert, Alan" <aareichert@tasc.com>
------------ Original Question Follows ----------------
Some of the users have .rhosts file with following entry:
+ <username>
This facilitates them to logon to other systems w/o getting prompted for the
password (NIS is not used).
What security hazard can it pose to the system(s) if the user is a normal user
(i.e. no super user privileges).
Thanks and I will summarize.
...Manjeet
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:33 CDT