Xref: utzoo comp.unix.shell:753 alt.sys.sun:1840 alt.security:1708 Path: utzoo!attcan!uunet!tut.cis.ohio-state.edu!purdue!haven!mimsy!chris From: chris@mimsy.umd.edu (Chris Torek) Newsgroups: comp.unix.shell,alt.sys.sun,alt.security Subject: Re: ~/.rhosts: put my username in there too? Message-ID: <27236@mimsy.umd.edu> Date: 29 Oct 90 00:46:10 GMT References: <1990Oct28.074642.6337@cbnewse.att.com> Organization: U of Maryland, Dept. of Computer Science, Coll. Pk., MD 20742 Lines: 54 There seems to be a deep misunderstanding here as to how `.rhosts' files work. When you use the `rsh' and `rlogin' commands, the machine receiving the rsh or rlogin request is handed two pieces of information: the Internet host number of the requesting machine, and the user name of the person who ran the request. It is up to the requesting machine to provide the correct user name; it is up to the receiving machine to derive the correct host name given the Internet host number. There are ways to fool both, though with sources and ingenuity the scheme can be made reasonably secure. (Someone can still come in, replace a trusted machine with a PC or Macintosh, and pretend to be that machine, for instance, so `absolute security' is impossible. Even if you post armed guards, they can be bribed or otherwise put out of action.) For instance, if you are logged on to `foovax.outer-podunk.edu' as `susan' and enter the command `rsh foosun echo hello', foovax makes a connection to foosun (presumably also in `outer-podunk.edu') and says, `hi, susan is asking susan to run the command "echo hello"'. Foosun can look up the Internet number on the request and convert this back to `foovax.outer-podunk.edu'. (If it uses Internet name service, and the server(s) is/are down, it may be stuck with just the numbers.) Now two things happen: A. foosun reads /etc/hosts.equiv. If `foovax.outer-podunk.edu' appears, it says `aha, foovax is trusted, and susan on foovax is the same person as susan here on foosun'. B. foosun reads ~susan/.rhosts. If `foovax.outer-podunk.edu' appears, either it is on a line by itself, or it is followed by a user name. If a user name appears, foosun will believe that foovax is trusted, but rather than assuming that susan on foovax is the same as the susan on foosun, it will instead assume that whatever string appears, *that* is the person who, on foovax, is the same as susan on foosun. If no user name appears, foosun assumes this means susan on foovax. Now, if you type `rsh foosun -l bob echo hello', foovax connects to foosun and says, `hi, susan is asking bob to run the command "echo hello"'. This time foosun reads ~bob/.rhosts (along with /etc/hosts.equiv, rather pointlessly since susan is asking bob and therefore nothing in hosts.equiv counts anyway---it is possible, but stupid, to put user names in hosts.equiv since the same code is used, but never mind that). If ~bob/.rhosts says `foovax.outer-podunk.edu' (without also naming susan), foosun will refuse to run the command, but if that file says `foovax.outer-podunk.edu susan', foosun will run it. In other words, the only thing changed by adding a user name is that the local machine (the one reading the .rhosts file) will allow commands when the remote machine lists the named user as the originator, rather than the user asked to run the command. This only happens when you use the `-l' option on rsh or rlogin. -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 405 2750) Domain: chris@cs.umd.edu Path: uunet!mimsy!chris