Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!wuarchive!csd4.csd.uwm.edu!uxc.cso.uiuc.edu!uxc.cso.uiuc.edu!kailand!pwolfe
From: pwolfe@kailand.KAI.COM
Newsgroups: comp.sys.sequent
Subject: Re: .netrc format
Message-ID: <2400066@kailand>
Date: 11 Sep 89 12:54:00 GMT
References: <412@bcsfse.UUCP>
Lines: 27
Nf-ID: #R:bcsfse.UUCP:412:kailand:2400066:000:1388
Nf-From: kailand.KAI.COM!pwolfe    Sep 11 07:54:00 1989


> Written by paul@bcsfse.UUCP
> What is format for sequent .netrc. 
> I could not find the man page for netrc
> although the file was mentioned in the man page for rexec.

The format for .netrc is:
	hostname username password

The .netrc file is used by telnet and ftp (and apparently, rexec), to allow
frequent users of other machines to avoid having to type logins and passwords
everytime they login.  I consider it a very bad security practice to place
passwords in a file, no matter what the file permissions are, but some people
just won't be convinced about this.  This is exactly the type of thing that
trojan horses, worms and such use to find accounts and passwords on other
machines.  I suspect that there is no manpage for ".netrc" because Sequent
would prefer that customers reduce their risks by not knowing about it.

In any case, I've never used rexecd, and wonder about whether it works at all.
According to the manpage for "rexecd", the password is transmitted in
"encrypted" form.  I assume this means it is encrypted on the originating
machine, using the salt from the user's password on that machine.  When it gets
checked on the target machine, isn't the salt and the whole encrypted password
likely to be completely different?  I'll bet the documentation is wrong.

        Patrick Wolfe   (pat@kai.com, kailand!pat)
        System Manager, Kuck & Associates, Inc.