Summary: .rhosts file in user's home

From: Manjeet Rekhi (
Date: Thu Nov 18 1999 - 15:19:09 CST

All respondents suggested against allowing .rhosts in user's home. Reasons were:
o Anyone can masquerade username to gain access from any host if they can
defeat firewall.
o Even if + is replaced by hostname/IP address, hackers can masquerade
o You don't have to be root to cause trouble. You can fillup certain
filesystems, invoke bogus processes, etc.
o Once in, hackers can find enough weaknesses to gain superuser access on
your system.

To overcome that, most of the respondents suggested using 'ssh' which can be
found at: (Info) (Info)

Thanks to the following for their quick and comprehensive responses:

David Foster <>

Duncan Phillips <>

James Mularadelis <>

"Boyko, Steve" <>

Shawn Kondel <>

Todd Jensen <>

Adam and Christine Levin <>

Daniel Muino <>

gabriel rosenkoetter <>

Carlo Musante <>

"Salehi, Michael E" <>

"Edwards Philip M Ctr AFRL/SNRR" <>

Jon Bernard <>

"Timothy Lindgren" <>

"Reichert, Alan" <>

------------ Original Question Follows ----------------
Some of the users have .rhosts file with following entry:

+ <username>

This facilitates them to logon to other systems w/o getting prompted for the
password (NIS is not used).
What security hazard can it pose to the system(s) if the user is a normal user
(i.e. no super user privileges).

Thanks and I will summarize.

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:33 CDT