HPE Community
Operating System - HP-UX
1832897 Members
2986 Online
110048 Solutions
New Discussion

Re: looking for a trick to allow rlogin but not remsh

 
SOLVED
Go to solution
Marc Ahrendt
Super Advisor

‎02-23-2005 10:06 AM

‎02-23-2005 10:06 AM

looking for a trick to allow rlogin but not remsh

i want a remote user to be able to rlogin to hostB as frog without asking for a password but was wondering if their was a trick to prevent remsh from working ...since it too reads the .rhosts

"rlogin hostB -l frog" works as desired but i want to find a way to make "remsh hostB -l frog" to fail ...is there a way?

i need this feature because the account is "captive" and works great for my application BUT do not want the environment to be hacked via remsh

thx, marc
hola
0 Kudos
8 REPLIES 8
Denver Osborn
Honored Contributor

‎02-23-2005 10:14 AM

‎02-23-2005 10:14 AM

Re: looking for a trick to allow rlogin but not remsh

Have you considered using ssh instead?

-denver
0 Kudos
Con O'Kelly
Honored Contributor

‎02-23-2005 10:33 AM

‎02-23-2005 10:33 AM

Re: looking for a trick to allow rlogin but not remsh

Hi Marc

I'd agree with Denver and look at using SSH. Using .rhosts and 'r' services presents a big security risk.
You can set up SSH to use Publickey authentication so you don't need to enter passwords. You'll have the same functionality as rlogin but far more secure.

Having said that if you want to use rlogin but not remsh, you can disable remsh in /etc/inetd.conf and then run inetd -c to pick up the changes.

Cheers
Con
0 Kudos
Marc Ahrendt
Super Advisor

‎02-23-2005 10:38 AM

‎02-23-2005 10:38 AM

Re: looking for a trick to allow rlogin but not remsh

i cannot use ssh in this particular situation but even if i could, wouldn't i have the same issue? slogin = rlogin and slogin = remsh ...or does slogin not act like remsh when using as "slogin frog@hostB uname -a" by bypassing the .profile?

regardless, i am stuck for the moment with thr r* commands
hola
0 Kudos
Marc Ahrendt
Super Advisor

‎02-23-2005 10:42 AM

‎02-23-2005 10:42 AM

Re: looking for a trick to allow rlogin but not remsh

Con, my concern about modifying /etc/inetd.conf is that it is global ...and will impact more than user frog

i am looking for something that will only prevent remsh from accessing frog@hostB yet allow rlogin access. i do know that rlogin and remsh act differently when accessing the remote account ...so hoping there is a way to exploit that, but not sure how
hola
0 Kudos
Biswajit Tripathy
Honored Contributor

‎02-23-2005 11:20 AM

‎02-23-2005 11:20 AM

Re: looking for a trick to allow rlogin but not remsh

If I understand correctly, you want to allow rlogin
and block remsh into a system. One way to do this
would be to use IPFilter. Configure following IPFilter
rules:

$ /sbin/ipf -Fa -f -
pass in quick proto tcp from any to any port = 513
block in quick proto tcp from any to any port = 514
^D

- Biswajit
:-)
0 Kudos
Biswajit Tripathy
Honored Contributor

‎02-23-2005 11:23 AM

‎02-23-2005 11:23 AM

Re: looking for a trick to allow rlogin but not remsh

One small correction. Since you want to block remsh
only from hostB, change the IPFilter rules to following:
---
pass in quick proto tcp from hostB to any port = 513
block in quick proto tcp from hostB to any port = 514
----

replace hostB with host B's IP address or hostname.

- Biswajit
:-)
0 Kudos
Elmar P. Kolkman
Honored Contributor

‎02-23-2005 05:29 PM

‎02-23-2005 05:29 PM

Solution

Re: looking for a trick to allow rlogin but not remsh

I'm sorry, but that is not possible...
remsh will use the rlogind when no command is used...
This is from the manual page of remsh:
If command, is not specified, instead of executing a single command, you will be logged in on the remote host using rlogin (see rlogin(1)).

So, unless you specify commands remsh should run on the other side, it is not possible to distinguish on that side of the connection with what command it was established... Sorry.


Good luck,

Elmar

Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Marc Ahrendt
Super Advisor

‎02-24-2005 04:47 AM

‎02-24-2005 04:47 AM

Re: looking for a trick to allow rlogin but not remsh

thx Biswajit, i will look into IPF at some point ...just cannot add additional sooftware at this time

thx Elmar, i was hoping for something but was prepared for an answer like yours ...thx for the feedback
hola
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.