Summary: .rhosts file in user's home

From: Manjeet Rekhi (Manjeet.Rekhi@Kellogg.com)
Date: Thu Nov 18 1999 - 15:19:09 CST


All respondents suggested against allowing .rhosts in user's home. Reasons were:
o Anyone can masquerade username to gain access from any host if they can
defeat firewall.
o Even if + is replaced by hostname/IP address, hackers can masquerade
hostname/IP.
o You don't have to be root to cause trouble. You can fillup certain
filesystems, invoke bogus processes, etc.
o Once in, hackers can find enough weaknesses to gain superuser access on
your system.

To overcome that, most of the respondents suggested using 'ssh' which can be
found at:

        ftp://ftp.cs.hut.fi/pub/ssh/ssh-1.2.25.tar.gz
        ftp://ftp.gw.com/pub/unix/ssh
        http://www.sdsc.edu/projects/ssh/ssh.html (Info)
        http://www.npaci.edu/Security (Info)
        http://www.ssh.net
        http://www.ssh.org
        http://www.npaci.edu/Security

Thanks to the following for their quick and comprehensive responses:

David Foster <foster@dim.ucsd.edu>

Duncan Phillips <dphillip@halfdome.acs.uci.edu>

James Mularadelis <james.mularadelis@bms.com>

"Boyko, Steve" <SBoyko@nbpower.com>

Shawn Kondel <shawnk@sunfs.math.usu.edu>

Todd Jensen <jensen@erim-int.com>

Adam and Christine Levin <levins@westnet.com>

Daniel Muino <dmuino@afip.gov.ar>

gabriel rosenkoetter <gr@cs.swarthmore.edu>

Carlo Musante <carlo@ucomm.wayne.edu>

kevin@joltin.com

"Salehi, Michael E" <Mike.Salehi@usa.xerox.com>

"Edwards Philip M Ctr AFRL/SNRR" <Philip.Edwards@sn.wpafb.af.mil>

Jon Bernard <jbber@src.uchicago.edu>

"Timothy Lindgren" <Timothy_Lindgren@enron.com>

daniel.polombo@detexis.thomson-csf.com

"Reichert, Alan" <aareichert@tasc.com>

------------ Original Question Follows ----------------
Some of the users have .rhosts file with following entry:

+ <username>

This facilitates them to logon to other systems w/o getting prompted for the
password (NIS is not used).
What security hazard can it pose to the system(s) if the user is a normal user
(i.e. no super user privileges).

Thanks and I will summarize.
...Manjeet



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:33 CDT