https://community.hpe.com/t5/operating-system-hp-ux/security-concerns-with-rexec/m-p/3072660#M751419 None of the Berkley port 512 r-protocols are secure. They pass authentication information in a inscure way.<BR /><BR />They are to be avoided, especially on systems that are exposed to the Internet.<BR /><BR />Most of the Berkley protocols are replaced by secure shell<BR /><BR />I'm more familiar with <BR />remesh ssh<BR />rcp scp<BR />ftp sftp<BR /><BR />Than rexec.<BR /><BR />SEP Tue, 16 Sep 2003 19:49:07 GMT Steven E. Protter 2003-09-16T19:49:07Z https://community.hpe.com/t5/operating-system-hp-ux/security-concerns-with-rexec/m-p/3072659#M751418 One of our software packages is coming out with a JAVA based GUI release. They need to use rexec. If I set it up on a different port thna 512, are there any other concerns I should have using it? I have read some postings and I'm not sure of I should be concerned. Thanks.<BR />Richard Tue, 16 Sep 2003 19:43:16 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-concerns-with-rexec/m-p/3072659#M751418 Richard Darling 2003-09-16T19:43:16Z https://community.hpe.com/t5/operating-system-hp-ux/security-concerns-with-rexec/m-p/3072660#M751419 None of the Berkley port 512 r-protocols are secure. They pass authentication information in a inscure way.<BR /><BR />They are to be avoided, especially on systems that are exposed to the Internet.<BR /><BR />Most of the Berkley protocols are replaced by secure shell<BR /><BR />I'm more familiar with <BR />remesh ssh<BR />rcp scp<BR />ftp sftp<BR /><BR />Than rexec.<BR /><BR />SEP Tue, 16 Sep 2003 19:49:07 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-concerns-with-rexec/m-p/3072660#M751419 Steven E. Protter 2003-09-16T19:49:07Z https://community.hpe.com/t5/operating-system-hp-ux/security-concerns-with-rexec/m-p/3072661#M751420 Hi Richard,<BR /><BR />The reason why 'rexec' is treated as a security vulneragbility is that the password flows in cleartext as well it may tempt users to keep their login names and passwords in text files like .netrc.<BR /><BR />You will really gain a little by moving them to a different port as both the above issues are still there. <BR /><BR />-Sri Tue, 16 Sep 2003 19:52:16 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-concerns-with-rexec/m-p/3072661#M751420 Sridhar Bhaskarla 2003-09-16T19:52:16Z https://community.hpe.com/t5/operating-system-hp-ux/security-concerns-with-rexec/m-p/3072662#M751421 Hi,<BR /><BR />If the rexec client and rexec server resides on the same vlan (subnet) on a switch, then minimal risk is with cleartext messages being sniffed only either at the client or at the server.<BR /><BR />If the rexec client can reside anywhere on the Internet and its traffic is not tunnelled over VPN, SSH or SSL, then you are exposed to a much high risk of your traffic being sniffed anywhere on the Internet along the traffic route. Man-in-the-middle attacks can be performed against your rexec traffic, resulting in loss of both confidentiality and integrity of your information.<BR /><BR />Ideally, your Java based GUI should use ssh instead of rexec to execute commands remotely. With public key pairs properly set on both client and server, ssh commands can be executed without any need to login.<BR /><BR />If it is legacy or proprietary to use rexec, then tunnel it over SSH (openssh) or SSL (stunnel) or HTTPS (since this is a JAVA-based client). One less elegant workaround would be to run rexec as a wrapper script to ssh and rexecd as a wrapper deamon to sshd.<BR /><BR />Hope this helps. Regards.<BR /><BR />Steven Sim Kok Leong Wed, 17 Sep 2003 03:02:46 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-concerns-with-rexec/m-p/3072662#M751421 Steven Sim Kok Leong 2003-09-17T03:02:46Z