All respondents suggested against allowing .rhosts in user's home. Reasons were:
o Anyone can masquerade username to gain access from any host if they can
o Even if + is replaced by hostname/IP address, hackers can masquerade
o You don't have to be root to cause trouble. You can fillup certain
filesystems, invoke bogus processes, etc.
o Once in, hackers can find enough weaknesses to gain superuser access on
To overcome that, most of the respondents suggested using 'ssh' which can be
Thanks to the following for their quick and comprehensive responses:
David Foster <email@example.com>
Duncan Phillips <firstname.lastname@example.org>
James Mularadelis <email@example.com>
"Boyko, Steve" <SBoyko@nbpower.com>
Shawn Kondel <firstname.lastname@example.org>
Todd Jensen <email@example.com>
Adam and Christine Levin <firstname.lastname@example.org>
Daniel Muino <email@example.com>
gabriel rosenkoetter <firstname.lastname@example.org>
Carlo Musante <email@example.com>
"Salehi, Michael E" <Mike.Salehi@usa.xerox.com>
"Edwards Philip M Ctr AFRL/SNRR" <Philip.Edwards@sn.wpafb.af.mil>
Jon Bernard <firstname.lastname@example.org>
"Timothy Lindgren" <Timothy_Lindgren@enron.com>
"Reichert, Alan" <email@example.com>
------------ Original Question Follows ----------------
Some of the users have .rhosts file with following entry:
This facilitates them to logon to other systems w/o getting prompted for the
password (NIS is not used).
What security hazard can it pose to the system(s) if the user is a normal user
(i.e. no super user privileges).
Thanks and I will summarize.
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:33 CDT