Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!know!samsung!noose.ecn.purdue.edu!en.ecn.purdue.edu!milton From: milton@ecn.purdue.edu (Milton D Miller) Newsgroups: comp.unix.wizards Subject: Re: /etc/hosts.equiv verses $HOME/.rhosts Message-ID: <1990Sep5.213442.7963@ecn.purdue.edu> Date: 5 Sep 90 21:34:42 GMT References: <1990Aug30.121926.3764@lemuria.MV.COM> <430@cfa.HARVARD.EDU> Organization: Purdue University Engineering Computer Network Lines: 36 In article <430@cfa.HARVARD.EDU> wyatt@cfa.HARVARD.EDU (Bill Wyatt,OIR) writes: >>>[...] Could some kind sole tell me why using $HOME/.rhosts >>>is unsafe and why /etc/hosts.equiv is safe? > >> [...] I wouldn't use hosts.equiv for any reason and rhost should >> only be readable by you. To increase security you may want to have >> the rhost in place only when you are doing work. > >Yes! We use crontab and find(1) once a day on our systems to remove >ALL .rhosts files. The users may reconstitute their .rhosts files each >day, of course, but are encouraged to put a `rm ~/.rhosts' into a >.logout file as well. > >Since I use X on several machines at once, I have a script run at >login time to rlogin to those few machines I always use. My .login on >those remote machines copies a files into .rhosts. I also have a `log' >command aliased to set an environment variable before logging out so I >can log out but not have the .logout script kill the .rhosts file. > So you type your password several times (ie one per machine) to gain access to all of the other machines?? If you are woried about wire security, then here you are sending your unencrypted password across the network several times. If you are only woried about others faking host addresses, well, mabye. But is it really worth the added inconvinence? I would not be suprised to find scripts that "Do this automagically" from one or more people. >Bill Wyatt, Smithsonian Astrophysical Observatory (Cambridge, MA, USA) > UUCP : {husc6,cmcl2,mit-eddie}!harvard!cfa!wyatt > Internet: wyatt@cfa.harvard.edu > SPAN: cfa::wyatt BITNET: wyatt@cfa milton Milton D. Miller II ECN student consultant, Purdue University