HPE Community
Operating System - HP-UX
1825769 Members
2016 Online
109687 Solutions
New Discussion

rlogin sec hole

 
Raul_10
Occasional Contributor

‎02-23-2001 04:45 AM

‎02-23-2001 04:45 AM

rlogin sec hole

I?ve got a customer which is disabling a user by typing an * in the passwd field of /etc/passwd and when he enables another host in .rhosts of $HOME directory of this user to access the machine with rcommands he discovers (Oh Surprise!) that he can login from that server without passwd confirmation of course.

This happens only in his 11.00 L2000 and N4000 machines, in 10.20 machines he gets the message "account disabled", as I think he must obtain.

I?ve search kmine for this sec hole, and I?ve found that some patches of very old hp-ux introduced this same problem, but was resolved in 10.20, is it possible that we have introduced this gap again?.

Does anybody has this problem either?

Thanks
0 Kudos
Reply
1 REPLY 1
W.L. Garner
New Member

‎02-25-2001 01:04 AM

‎02-25-2001 01:04 AM

Re: rlogin sec hole

Raul,
To completely disable an account, not only should you put an '*' in the password field, but also you must remove the shell (/bin/sh) and replace it with something non-functional, like /etc/false. When you 'rlogin', as you know, the system consults the .rhost file. If the user's .rhost file allows unauthenticated access, the password is never examined. The insertion of an '*' in that field is simply a means of inserting a nondecrypting entry. The '*' character is not defined in the login/authentication routines as a means of disabling an account. Consequently, the behaviour you have seen is not actually a bug, but is the result of incompletely disabling an account.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.