Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uwm.edu!archimedes.math.uwm.edu!jgreco From: jgreco@archimedes.math.uwm.edu (Joe Greco) Newsgroups: comp.unix.wizards Subject: Re: /etc/hosts.equiv verses $HOME/.rhosts Message-ID: <6012@uwm.edu> Date: 30 Aug 90 02:36:36 GMT References: <785@venice.SEDD.TRW.COM> <13650@ulysses.att.com> Sender: news@uwm.edu Organization: University of Wisconsin, Milwaukee - Department of Mathematics Lines: 45 In comp.unix.wizards article <13650@ulysses.att.com>, smb@ulysses.att.com (Steven Bellovin) wrote: :In article <785@venice.SEDD.TRW.COM>, waldorf@venice.SEDD.TRW.COM (Jerry Waldorf) writes: :> Could some kind sole tell me why using $HOME/.rhosts :> is unsafe and why /etc/hosts.equiv is safe? : :/etc/hosts.equiv represents the administrator's (presumably informed) :decision to extend trust to certain other hosts, typically those also :under the same person's control. .rhosts files represent a user's :decision to extend trust, often to a machine not worthy of it. Neither is absolutely safe. Then again, networks aren't safe. You need to be sure that your network is relatively secure, that your machines are relatively secure, and that your host tables (or nameserver) are trustworthy, to mention just a few... Consider the following: A person with a network monitoring program. Just watch long enough and snatch the password right off it. Of course this ISN'T a problem with .rhosts.... A person who breaks into a workstation, and changes the IP numbers to match another machine. Then crash the other machine. Voila, suddenly what looks like x.y.z.edu is actually a.y.z.edu... and you're at the mercy of the person. A person who can fiddle with the nameserver to produce false host names. No need to even change the IP number. This is possibly the worst of the bunch. Having (for legitimate reasons) done something similar to this on our local network, I'm not too sure that there is anything to truly prevent someone from doing this. Long ago I decided it was all worthless: there's just no way to protect against all possibilities. I use .rhosts... ... Joe ------------------------------------------------------------------------------- Joe Greco - University of Wisconsin, Milwaukee - Department of Mathematics jgreco@archimedes.math.uwm.edu USnail: Joe Greco Voice: 414/321-6184 9905 W. Montana Ave. Data: 414/321-9287 (Happy Hacker's BBS) West Allis, WI 53227-3329 ICBM: 43 05 20 N 87 53 10 W #include Disclaimer: I don't speak for the Math Department, the University, or myself.