Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!xylogics!bu.edu!husc6!frooz!cfa.HARVARD.EDU
From: wyatt@cfa.HARVARD.EDU (Bill Wyatt,OIR)
Newsgroups: comp.unix.wizards
Subject: Re: /etc/hosts.equiv verses $HOME/.rhosts
Message-ID: <430@cfa.HARVARD.EDU>
Date: 4 Sep 90 14:32:25 GMT
References: <1990Aug30.121926.3764@lemuria.MV.COM>
Sender: news@cfa.HARVARD.EDU
Lines: 33

>>[...]  Could some kind sole tell me why using $HOME/.rhosts 
>>is unsafe and why /etc/hosts.equiv is safe?  

> [...]  I wouldn't use hosts.equiv for any reason and rhost should
> only be readable by you.  To increase security you may want to have
> the rhost in place only when you are doing work.

Yes! We use crontab and find(1) once a day on our systems to remove
ALL .rhosts files. The users may reconstitute their .rhosts files each
day, of course, but are encouraged to put a `rm ~/.rhosts' into a
.logout file as well. 

Since I use X on several machines at once, I have a script run at
login time to rlogin to those few machines I always use. My .login on
those remote machines copies a files into .rhosts. I also have a `log'
command aliased to set an environment variable before logging out so I
can log out but not have the .logout script kill the .rhosts file. 

My local .xsession script can then open windows up on the various
machines with no problem. When I logout of my own machine, there's yet
another script run from .logout that attempts to rsh to each machine
in the .rhosts file to removes its copy of .rhosts, and then removes
the local .rhosts.

If this sounds complicated, it really isn't. It requires some initial 
configuration setup, and a couple extra minutes when logging in, is all. 
It's much more secure having .rhosts available all over the place all the
time.

Bill Wyatt, Smithsonian Astrophysical Observatory  (Cambridge, MA, USA)
    UUCP :  {husc6,cmcl2,mit-eddie}!harvard!cfa!wyatt
 Internet:   wyatt@cfa.harvard.edu
     SPAN:   cfa::wyatt                 BITNET: wyatt@cfa