topic Re: .rhost file in users home directories in Operating System - HP-UX

.rhost file in users home directories

Paul Winchcombe — Wed, 13 Feb 2002 10:22:11 GMT

Sorry if this question has been asked before.

I have a need to to allow only a few non root users to rlogin to a host. The users that aren't allowed to rlogin I wish to have a root owned .rhosts file in the users home directory. Trouble is the user if they wish can remove the root owned .rhosts file because it's in a directory they own.

I could add an entry in the .profile to see how the user logged in (different tty types)

Regards

Paul

Re: .rhost file in users home directories

Steve Steel — Wed, 13 Feb 2002 10:30:46 GMT

Hi

try

hosts.equiv(4) hosts.equiv(4)

NAME
hosts.equiv, .rhosts - security files authorizing access by remote
hosts and users on local host

DESCRIPTION
The /etc/hosts.equiv file and files named .rhosts found in users' home
directories specify remote hosts and users that are "equivalent" to
the local host or user. Users from equivalent remote hosts are
permitted to access a local account using rcp or remsh or to rlogin to
the local account without supplying a password (see rcp(1), remsh(1),
and rlogin(1)). The security provided by hosts.equiv is implemented
by the ruserok() library routine, (see rcmd(3N)).

In this description, hostequiv means either the system
/etc/hosts.equiv file or the user .rhosts file. Note that .rhosts
must be owned by the user in whose home directory it is found and it
must not be a symbolic link. The /etc/hosts.equiv file defines
system-wide equivalency, whereas a user's .rhosts file defines
equivalency between the local user and any remote users to whom the
local user chooses to allow or deny access.

Steve Steel

Re: .rhost file in users home directories

Volker Borowski — Wed, 13 Feb 2002 10:37:30 GMT

Hi Paul,

from "man rlogind":

... fails, login(1) prompts the user with the normal login sequence. The -l option to rlogind prevents any authentication based on the user's .rhosts file unless the user is logging in as super-user. ....

So if you reconfigure inetd.conf, you could make rlogind only work with /etc/rhosts and /etc/hosts.equiv, it will simply ignore $HOME/.rhosts

Hope this helps
Volker

Re: .rhost file in users home directories

Deepak Extross — Wed, 13 Feb 2002 11:10:18 GMT

Suggest you stick to the /etc/rhosts and /etc/hosts.equiv files rather than getting into user's home directories.

In fact, since you dont want other users to rlogin to the machine, you should have a policy expressly forbidding any user from having a $HOME/.rhosts file. You may want to run a small script weekly or so, to search for user-created .rhosts files and delete them.

Re: .rhost file in users home directories

Darrell Allen — Wed, 13 Feb 2002 14:05:09 GMT

Hi Paul,

I presume you want to allow rlogin without a password. If not, you don't need to use .rhosts nor /etc/hosts.equiv. I'd also remove the "r" services from /etc/inetd.conf.

You may want to use /var/adm/inetd.sec to limit the IP addresses a service will allow connections from.

When I've used /etc/hosts.equiv, I did chown root:sys and chmod 000 on it.

Darrell

Re: .rhost file in users home directories

Paul Winchcombe — Wed, 13 Feb 2002 17:46:46 GMT

Thanks for all the info but I think I may have misled you all.

If root creates a .rhost file in my home directory /home/paulw/ preventing me from rlogin/remsh into the box without a password. I as user paulw can remove the .rhost file even though it is created and owned by root.
I understand that I can prevent the use of users .rhost file by editing the inetd.conf file but I want to allow some users to rlogin and other not to. I also cannot be sure of where the user will login from. I.E. the ip address of the remote machine is unknown.

So basically ignoring r-services for a moment.

How can a root user write a file to a users home directory and prevent that user from moving/deleting the file when the directory is owned by that user.

I've tried looking at acl but I think this is just for hfs filesytems.

or am I asking the impossible.

Re: .rhost file in users home directories

T. M. Louah — Wed, 13 Feb 2002 18:27:58 GMT

May be you need to take a look at SSH. You get encrypted "equivalents" of telnet, ftp and more. Using OpenSSH, you can have automated cron scripts connecting to other UNIX box without keeping a password (or unencrypted private key) on disk.
You can try secure shell, obtain openssh and the other required pieces (i.e. zlib, perl, etc.) at http://hpux.cs.utah.edu/ in depot format for HP-UX 11 No compile process needed. Just do the whole thing through swinstall. I'd visit the www.openssh.com as well to get some background information. Having said that ssh is not an HP product... !!
other resources:
You can look at SSH Case studies at http://www.unixreview.com/books/book_preview9.shtml for examples of smart SSH usage.

g'd luck
t++

Re: .rhost file in users home directories

Bill Thorsteinson — Wed, 13 Feb 2002 19:49:54 GMT

Modify your inetd.conf file and add the -l option to the r* services. This will disable .rhosts files. Add the approved users to the file /etc/hosts.equiv. Other users will still be able to use the r* services but will have to provide passwords.

If you have tcp wrappers enabled, you have better ability to restrict access to the r*. This includes restrictions by user and host.

As noted above ssh (secure shell) may be a better option.

Re: .rhost file in users home directories

Darrell Allen — Wed, 13 Feb 2002 19:57:13 GMT

Just came back and looked at this again. Volker (and Bill) have the answer: configure rlogin to ignore user .rhosts files (except for superuser). That way it doesn't matter what the users put in their .rhosts.

Darn good answer. Never had tried it.

Darrell