HPE Community
Operating System - HP-UX
1833043 Members
2273 Online
110049 Solutions
New Discussion

R-services

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

‎04-20-2006 05:03 AM

‎04-20-2006 05:03 AM

R-services

For security purposes, our policy is to disable all R-services, in conjunction with an /etc/hosts.equiv file,like, rlogin,remsh,rexec..etc. Is there any alternative?

Any recommendations?
UNIX IS GOOD
0 Kudos
Reply
13 REPLIES 13
harry d brown jr
Honored Contributor

‎04-20-2006 05:10 AM

‎04-20-2006 05:10 AM

Re: R-services

An alternative to not disabling the R-commands? or an alternate way to do the same, like with ssh?

live free or die
harry d brown jr
Live Free or Die
0 Kudos
Reply
Nobody's Hero
Valued Contributor

‎04-20-2006 05:19 AM

‎04-20-2006 05:19 AM

Re: R-services

Harry, so let me say, specifically, rexec, If I neede to keep it, what could I use in its place? ssh? Is ssh a secure package that includes rexec and other R-services ?
UNIX IS GOOD
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎04-20-2006 05:19 AM

‎04-20-2006 05:19 AM

Re: R-services

Robert,

You should take a look at ssh:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA


Pete

Pete
0 Kudos
Reply
Nobody's Hero
Valued Contributor

‎04-20-2006 05:23 AM

‎04-20-2006 05:23 AM

Re: R-services

If I use ssh, is there a way to further ensure that the /etc/hosts.equiv file gets protected, besides applying proper perms?
UNIX IS GOOD
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎04-20-2006 05:34 AM

‎04-20-2006 05:34 AM

Solution

Re: R-services

ssh is secured differently. Have a look at this:

http://www.faqs.org/docs/linux_network/x-087-2-appl.remote.html

rexec is similar to remsh.

live free or die
harry d brown jr
Live Free or Die
Reply
Pete Randall
Outstanding Contributor

‎04-20-2006 05:37 AM

‎04-20-2006 05:37 AM

Re: R-services

Robert,

I don't use Secure Shell myself, but I believe that the need for having the hosts.equiv file would be eliminated. Perhaps this faq would help:

http://docs.hp.com/en/6073/FAQ-SSH.pdf


Pete

Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎04-20-2006 05:44 AM

‎04-20-2006 05:44 AM

Re: R-services

Actually the Release Notes offer a list of the available commands with a brief explanation:

http://docs.hp.com/en/T1471-90019/T1471-90019.pdf

I'm sorry for stringing this out - if I had been thinking clearer, I could have put it all in one post.


Pete

Pete
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-20-2006 05:57 AM

‎04-20-2006 05:57 AM

Re: R-services

Robert,

You policy is sound and openssh/Secure Shell replaces ALL the functionality.

openssh is free as are good windows/linux gui clients.

I'm teseting firezilla right now. Top notch.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎04-20-2006 12:54 PM

‎04-20-2006 12:54 PM

Re: R-services

When you disable the r-commands, you remove all .rhosts files AND hosts.equiv and turn them off in inetd.conf. ssh will accomplish what you want -- the ability to run a remote command without a password from either the command line or from a script. You establish the trust relationship between the machines with keys.


Bill Hassell, sysadmin
0 Kudos
Reply
Mike Kerns
New Member

‎04-21-2006 02:56 AM

‎04-21-2006 02:56 AM

Re: R-services

I'd heard a recommendation that instead of removing the hosts.equiv and .rhosts, to create a link to replace them.

# cd /home/whoever
# ln -s /dev/null .rhosts
# ll
lrwxr-x--- 1 root sys 9 Apr 21 07:51 .rhosts -> /dev/null

This supposedly would prevent anyone from creating a .rhosts file. Any thoughts on problems this might present?

TIA,

Mike
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎04-21-2006 03:10 AM

‎04-21-2006 03:10 AM

Re: R-services

The suggestion to link .rhosts to /dev/null is cute but won't stop anyone from creating their own .rhosts in their HOMAE directory. Even if you create a file or link owned by root and set the permission to 000, the user can delete the file or link. That's because the EXISTENCE of a file has nothing to do with the file's permission. The file exists (and can be renamed, moved or removed) because of the directory's permissions.

Now it's true that you can set the sticky bit on the user's HOME directory (ie, chmod 1755 /home/some_user) and now a user can't move or remove files that are not owned by the current login. But that is a behind_the_door solution to what is a social problem. If all users are officially notified that .rhosts is not allowed in any HOME directory then a daily scan will reveal who needs a conference with management about future employment.

Security is only as strong as it's weakest link. And along that line, simply disabling the r-series daemons in inetd.conf removes the issue completely.


Bill Hassell, sysadmin
0 Kudos
Reply
Mike Kerns
New Member

‎04-21-2006 03:58 AM

‎04-21-2006 03:58 AM

Re: R-services

That makes sense, thanks Bill!

Mike
0 Kudos
Reply
Haralambos
Advisor

‎04-21-2006 08:12 AM

‎04-21-2006 08:12 AM

Re: R-services

Ok, here is what I know.

'r' commands are not secure as they can be prone to ip spoofing. ssh helps with that by providing the so called HostbasedAuthentication; see sshd_config man pages. HostbasedAuthentication when enabled works just like the 'r' commands but ofcourse using the ssh command. To enable it you set this keyword to yes, both on the ssh server and the client. Also you need to define your trusted clients in either /etc/hosts.equiv and/or /opt/ssh/etc/shosts.equiv and/or the $HOME/.rhosts. BE AWARE that if you use the /etc/hosts.equiv you enable by default both the 'r' commands as well the the host based authentication via ssh.

But, even host authentication is not good and is considered the weakest gorm of authentication.

The best way is to use either password and or PublickeyAuthentication. PublickeyAuthentication is the best and if you use it with passphrase-less keys you can simulate the behavior of the 'r' commands via ssh.
But, once more the BEST authentication method is to use passphrase protected keys.

GOOD LUCK.

Haralambos
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.