Operating System - HP-UX
1833912 Members
2979 Online
110063 Solutions
New Discussion

remsh to localhost / security issue?????

 
SOLVED
Go to solution
someone_4
Honored Contributor

remsh to localhost / security issue?????

Hey everyone,
We have a developer that has a script that he wants to run from one server to collect informaton from the other servers. To me this was an odd request. But he says that he wants the server to remsh to its self because he doesnt want to go back and rewrite the script for it to just run the commands local. Is there a security issue with this??
Maybe its just me but to me it just doesnt sounds right..

Thanks
~ Richard
6 REPLIES 6
Bill Hassell
Honored Contributor

Re: remsh to localhost / security issue?????

What you describe will do nothing. remsh to yourself isn't going to collect any information, so it's pointless. In order to collect the remote information (assuming the server is in charge) will require all the other machines to allow access. There are many other techniques that are more manageable and secure--but will require new scripting.


Bill Hassell, sysadmin
someone_4
Honored Contributor

Re: remsh to localhost / security issue?????

Hello
Mr. Bill ..
I think I was misunderstood.
We have a server Athena that runs a script that collects data via remote shell from other servers. That part works fine. But he wants Athena to trust Athena .. So he can remote shell from Athena to Athena ..

~ Richard
MANOJ SRIVASTAVA
Honored Contributor
Solution

Re: remsh to localhost / security issue?????

remsh to lcoal host being done by the user is not a security issue ,so long as it is the same user.


Manoj Srivastava
uri_1
Advisor

Re: remsh to localhost / security issue?????

you should be more worried about remsh to REMOTE computers as a security issue.
especially if the user is root.
consider using ssh.
Pete Randall
Outstanding Contributor

Re: remsh to localhost / security issue?????

Richard,

You're going to have to set up /etc/hosts.equiv or .rhosts if you haven't already. You should be restrictive in the way you do this - trust expicit hosts/users so you minimize security risks. Once that's done, it shouldn't be a problem.

Pete

Pete
Andrew Cowan
Honored Contributor

Re: remsh to localhost / security issue?????

Richard,

Think VERY carefully before opening any remsh or r?? ports on any machines. Do you trust all the users on this machine? If this machine is publically accessible you could be leaving yourself open to several subtle attacks. E.g. If this user (with remsh) has lax permissions in their home directory, a clever hacker can add files such as a false ".profile", that can be used to open up other attack routes. Also if the remsh user's password is easily guessed or he/she can be shoulder surfed, another internal user can also craft attacks.

The best way to run remote commands is to install OpenSSH, create a common user (not root) on all machines, assign it a key pair and use ssh to execute commands (without requiring a password). If a remote command needs priveliged access create a captive SSH user or a setuid script on the remote system. This is much more difficult to attack as all transmissions are encryped.
Remember r?? commands rely on the IP address to verify the caller, and that is the easiest thing in the world to fake.