HPE Community
Operating System - HP-UX
1822015 Members
3766 Online
109639 Solutions
New Discussion юеВ

RLOGIN

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

тАО07-18-2002 05:01 AM

тАО07-18-2002 05:01 AM

RLOGIN

How can I turn off the rlogin option for all users except root?
UNIX IS GOOD
0 Kudos
Reply
7 REPLIES 7
Pete Randall
Outstanding Contributor

тАО07-18-2002 05:05 AM

тАО07-18-2002 05:05 AM

Solution

Re: RLOGIN

If you remove /etc/hosts.equiv and put a /.rhosts entry in root's home directory on each server (and make sure that no users have .rhosts entries), that should do it.

Pete

Pete
Reply
steven Burgess_2
Honored Contributor

тАО07-18-2002 05:10 AM

тАО07-18-2002 05:10 AM

Re: RLOGIN

Hi

Just have an entry in roots home directory .rhosts

depending on where you are going to allow oot to log in from

+ from all sites
for just a single host

HTH

Steve
take your time and think things through
Reply
Sanjay_6
Honored Contributor

тАО07-18-2002 05:17 AM

тАО07-18-2002 05:17 AM

Re: RLOGIN

Hi,

Just have root user name in the .rhosts file for the system you are doing rlogin from. say you are logging from host1 to host2. on host2 edit .rhosts file and then have this entry,

host1 root

and have this entry in /etc/hosts.equiv file on host2,

host1

Hope this helps.

Regds
Reply
Nobody's Hero
Valued Contributor

тАО07-18-2002 05:21 AM

тАО07-18-2002 05:21 AM

Re: RLOGIN

Then, won't any user be able to create a .rlogin file and then resume to using rlogin?
UNIX IS GOOD
0 Kudos
Reply
Peter Kloetgen
Esteemed Contributor

тАО07-18-2002 05:27 AM

тАО07-18-2002 05:27 AM

Re: RLOGIN

Hi Robert,

you need a .rhosts file in roots home directory, as allready mentioned, and to be sure that no other user can use rlogin, you can take the following cron job:

0 0 * * * find /home -name ".rhosts" -exec rm {} \;

This will automatically delete .rhosts files which a user creates in his home directory each night.

One more thing: rlogin as root is a security hole in my opinion, because no password is required. So you just have to get into the network ..... and you are root.

Allways stay on the bright side of life!

Peter
I'm learning here as well as helping
Reply
Shannon Petry
Honored Contributor

тАО07-18-2002 05:35 AM

тАО07-18-2002 05:35 AM

Re: RLOGIN

Well, I dont think you can do what you want to do unless you convert to a trusted system, and even that is a maybe.

The /etc/hosts.equiv file and $HOME/.rhosts file only allow entries from whence a user does not have to enter a password.

Removing either of these files WILL NOT disable the ability to rlogin to that system. It will only make them have to enter a password when they do rlogin.

Standard HP-UX will allow you to enter hosts which can access inetd services by modifying the /var/adm/inetd.sec file. IMHO securing the system to your IP allowed for remsh may give you the effect you desire.

There is an add/on package called TCP-Wrappers available for all Unices which will grant/deny based on user/group/host/network/domain who can access services of inetd.

Regards,
Shannon
Microsoft. When do you want a virus today?
Reply
Pete Randall
Outstanding Contributor

тАО07-18-2002 05:40 AM

тАО07-18-2002 05:40 AM

Re: RLOGIN

Just a couple further thoughts:

1) Yes, it's regarded as a security risk - but if you list hosts explicitly in the .rhosts file, then only those hosts you trust can use the "r"commands.

2) If you use the hostname username format and list only root, then other users won't be allowed, and if they can't get here to start with, they can't put an .rhosts file in the home directory they would have to have on this particular server under their user account that they would have to have on this particular server.

Of course, I may be way off base but I think in very limited circumstances this can be a safe and useful technique.

Pete


Pete
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.