Thanks for all the help.
As many people pointed out, the behavior I described is both expected and
documented in the man page of hosts.equiv.
I thought Casper Dik explained the behavior best with these words:
"You should read /etc/hosts.equiv as something that is prepended
to every .rhosts file. [If the host aegean's /etc/hosts.equiv contains:]
peri mhansen
This line in the /etc/hosts.equiv file means:
mhansen@peri is allowed to log in to aegean as *any* other user.
That's because everybody's (except root's) .rhost file now starts with:
peri mhansen
This is how /etc/hosts.equiv has always worked."
It seems the overwhelming recommendation is to use ssh instead. I have
used ssh on our web site for two years. I have found it to be stable and it
has exactly the same user syntax as rsh and rlogin. I was just hoping that
I wouldn't need to install it on every other system in the organization.
See the following for ssh info:
http:\\www.ssh.net
http:\\www.ssh.org
>Sun Managers:
>
>We seem to have found an interesting security problem with in.rlogind. If
>/etc/hosts.equiv lists a specific host and a specific user then that user is
>allowed to change uid at will using rlogin -l. I get this behavior on
>Solaris 2.6. I am certain that I did not have this behavior on SunOS 4.1.3
>but I no longer have any machines to test it with. I have also tested the
>same situation with HP-UX 10.20 and do not have the problem there.
>
>Yes I know rsh/rlogin isn't that secure, but I always thought my risk was
>limited to attack from people with considerable technical knowledge. Since
>this network is only accessible from inside our building I wasn't too
>worried, until now. Actually I don't need rlogin at all, its rsh that we
>really use.
>
>First, I thought others should be aware of the security problem. IMHO this
>is a bug. Users should not be allowed to change UID without a password. I
>have opened a service call with Sun. Second, I was wondering if others get
>this behavior and/or have fixed the problem. One solution is to leave the
>second field in /etc/hosts.equiv blank, but then I have opened rsh/rlogin to
>every user from the specified host. At the moment this seems like the lesser
>risk.
>
>Of course I will summarize.
>
>Example 1
>-----------
>
>{root@aegean:1} cat /etc/hosts.equiv
>peri mhansen
>
>
>{mhansen@peri:1} rlogin -l igrant aegean
>Last login: Thu Nov 12 11:14:10 from 10.2.150.215
>{igrant@aegean:1}
>
>
>Example 2
>-----------
>{root@aegean:3} cat /etc/hosts.equiv
>peri
>
>{mhansen@peri:2} rlogin -l igrant aegean
>Password:
>Login incorrect
>
>
>BTW, there are no ~/.rhosts files on the host aegean
>
-- Marc
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:52 CDT