HPE Community
Operating System - HP-UX
1821629 Members
3115 Online
109633 Solutions
New Discussion юеВ

Re: security concerns with rexec?

 
SOLVED
Go to solution
Richard Darling
Trusted Contributor

тАО09-16-2003 12:43 PM

тАО09-16-2003 12:43 PM

security concerns with rexec?

One of our software packages is coming out with a JAVA based GUI release. They need to use rexec. If I set it up on a different port thna 512, are there any other concerns I should have using it? I have read some postings and I'm not sure of I should be concerned. Thanks.
Richard
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

тАО09-16-2003 12:49 PM

тАО09-16-2003 12:49 PM

Re: security concerns with rexec?

None of the Berkley port 512 r-protocols are secure. They pass authentication information in a inscure way.

They are to be avoided, especially on systems that are exposed to the Internet.

Most of the Berkley protocols are replaced by secure shell

I'm more familiar with
remesh ssh
rcp scp
ftp sftp

Than rexec.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО09-16-2003 12:52 PM

тАО09-16-2003 12:52 PM

Re: security concerns with rexec?

Hi Richard,

The reason why 'rexec' is treated as a security vulneragbility is that the password flows in cleartext as well it may tempt users to keep their login names and passwords in text files like .netrc.

You will really gain a little by moving them to a different port as both the above issues are still there.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО09-16-2003 08:02 PM

тАО09-16-2003 08:02 PM

Solution

Re: security concerns with rexec?

Hi,

If the rexec client and rexec server resides on the same vlan (subnet) on a switch, then minimal risk is with cleartext messages being sniffed only either at the client or at the server.

If the rexec client can reside anywhere on the Internet and its traffic is not tunnelled over VPN, SSH or SSL, then you are exposed to a much high risk of your traffic being sniffed anywhere on the Internet along the traffic route. Man-in-the-middle attacks can be performed against your rexec traffic, resulting in loss of both confidentiality and integrity of your information.

Ideally, your Java based GUI should use ssh instead of rexec to execute commands remotely. With public key pairs properly set on both client and server, ssh commands can be executed without any need to login.

If it is legacy or proprietary to use rexec, then tunnel it over SSH (openssh) or SSL (stunnel) or HTTPS (since this is a JAVA-based client). One less elegant workaround would be to run rexec as a wrapper script to ssh and rexecd as a wrapper deamon to sshd.

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.