Summary: How to enforce offical-host-name for rsh/rlogin?

From: Kerr Tung (Kerr_Tung@sabre.com)
Date: Mon Oct 20 1997 - 18:21:26 CDT

My thanks go to David
Thorburn-Gundlach<dtg@cae091.ed.ray.com> which
answered my question. Problem resolved. The
original question and the answer from David is
forwarded as follows:

attached mail follows:

Kerr --

Kerr Tung wrote:
>
> Hi all,

Hi there!

>
> How do I make a host's official-host-name, i.e.
> abc.def.com be recognized by rsh/rlogin, not the
> nickname abc?

That FQDN must be the first thing that a name lookup will see.

>
> I checked the hostname abc with "nslookup abc" and
> "ypcat hosts |grep abc" and didn't find anything
> different for this host from the other hosts
> defined -- it is defined with both abc.def.com and

Which is first on the line, though?

> abc. However, when I use rsh/rlogin to this
> machine, only the nick name is accepted. I hate to
> add "abc" in the /etc/hosts.equiv or .rhosts to

Yeah; that's not such a good idea.

> just make it work, reasoning that may impose a
> bigger security hole than just having the official
> host name abc.def.com.

You didn't mention your OS, but you mentioned running under YP... If
you're running Solaris, it's fairly easy, though it will completely go
around your YP hosts map (so why bother keeping it up?); mind you, *all*
programs will see DNS first. Just modify /etc/nsswitch.conf to ensure
that "dns" comes before "nis" on the "hosts:" line.

You could also turn your YP hosts map inside out. You probably have
something like this at the moment:

        111.222.333.444 abc abc.def.com

If you want rsh to recognize the remote machine as abc.def.com instead
of abc, you need to have your entries look like

        111.222.333.444 abc.def.com abc

Both of these are because in.rshd/in.telnetd/etcetc all get an IP
address and have to see what host name *the*local*machine* thinks it is;
it make a call (probably gethostbyaddr, but I'm not enough of a
programmer to know) to its name service(s) to find out what the right
value is, and returns the FIRST thing it finds.

>
> How should I fix this? No flame for using .rhosts
> and hosts.equiv, please.

Hey; I'm with ya ;-)

>
> Thanks,
> Kerr

:-D 

-- 
David Thorburn-Gundlach
dtg@cae091.ed.ray.com,david@bae.uga.edu
Raytheon  508/440-2016 or 508/440-2317

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:06 CDT