topic Re: RLOGIN in Operating System - HP-UX

RLOGIN

Nobody's Hero — Thu, 18 Jul 2002 12:01:21 GMT

How can I turn off the rlogin option for all users except root?

Re: RLOGIN

Pete Randall — Thu, 18 Jul 2002 12:05:09 GMT

If you remove /etc/hosts.equiv and put a /.rhosts entry in root's home directory on each server (and make sure that no users have .rhosts entries), that should do it.

Pete

Re: RLOGIN

steven Burgess_2 — Thu, 18 Jul 2002 12:10:57 GMT

Hi

Just have an entry in roots home directory .rhosts

depending on where you are going to allow oot to log in from

+ from all sites
for just a single host

HTH

Steve

Re: RLOGIN

Sanjay_6 — Thu, 18 Jul 2002 12:17:09 GMT

Hi,

Just have root user name in the .rhosts file for the system you are doing rlogin from. say you are logging from host1 to host2. on host2 edit .rhosts file and then have this entry,

host1 root

and have this entry in /etc/hosts.equiv file on host2,

host1

Hope this helps.

Regds

Re: RLOGIN

Nobody's Hero — Thu, 18 Jul 2002 12:21:47 GMT

Then, won't any user be able to create a .rlogin file and then resume to using rlogin?

Re: RLOGIN

Peter Kloetgen — Thu, 18 Jul 2002 12:27:10 GMT

Hi Robert,

you need a .rhosts file in roots home directory, as allready mentioned, and to be sure that no other user can use rlogin, you can take the following cron job:

0 0 * * * find /home -name ".rhosts" -exec rm {} \;

This will automatically delete .rhosts files which a user creates in his home directory each night.

One more thing: rlogin as root is a security hole in my opinion, because no password is required. So you just have to get into the network ..... and you are root.

Allways stay on the bright side of life!

Peter

Re: RLOGIN

Shannon Petry — Thu, 18 Jul 2002 12:35:13 GMT

Well, I dont think you can do what you want to do unless you convert to a trusted system, and even that is a maybe.

The /etc/hosts.equiv file and $HOME/.rhosts file only allow entries from whence a user does not have to enter a password.

Removing either of these files WILL NOT disable the ability to rlogin to that system. It will only make them have to enter a password when they do rlogin.

Standard HP-UX will allow you to enter hosts which can access inetd services by modifying the /var/adm/inetd.sec file. IMHO securing the system to your IP allowed for remsh may give you the effect you desire.

There is an add/on package called TCP-Wrappers available for all Unices which will grant/deny based on user/group/host/network/domain who can access services of inetd.

Regards,
Shannon

Re: RLOGIN

Pete Randall — Thu, 18 Jul 2002 12:40:13 GMT

Just a couple further thoughts:

1) Yes, it's regarded as a security risk - but if you list hosts explicitly in the .rhosts file, then only those hosts you trust can use the "r"commands.

2) If you use the hostname username format and list only root, then other users won't be allowed, and if they can't get here to start with, they can't put an .rhosts file in the home directory they would have to have on this particular server under their user account that they would have to have on this particular server.

Of course, I may be way off base but I think in very limited circumstances this can be a safe and useful technique.

Pete