Xref: utzoo comp.unix.shell:779 alt.sys.sun:1865 alt.security:1711 Path: utzoo!utgpu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!rpi!uupsi!sunic!ericom!eua.ericsson.se!erix.ericsson.se!per From: per@erix.ericsson.se (Per Hedeland) Newsgroups: comp.unix.shell,alt.sys.sun,alt.security Subject: Re: ~/.rhosts: put my username in there too? Message-ID: <1990Oct30.194948.2439@eua.ericsson.se> Date: 30 Oct 90 19:49:48 GMT References: <1990Oct28.074642.6337@cbnewse.att.com> <27236@mimsy.umd.edu> Sender: news@eua.ericsson.se Organization: Ellemtel Telecom Systems Labs, Stockholm, Sweden Lines: 37 In article <27236@mimsy.umd.edu> chris@mimsy.umd.edu (Chris Torek) writes: > B. foosun reads ~susan/.rhosts. ... > If no user name appears, foosun assumes this means susan on foovax. I.e., there is no security advantage to adding 'susan' to the foovax line in ~susan/.rhosts, which I believe is what the original poster thought too. There is however one case where the presence of a username can make a difference, namely if two or more users (=usernames) share a home directory - e.g. there is another login 'jane' with the same home directory as susan, and consequently ~jane/.rhosts is really the same file as ~susan/.rhosts. In this case, if someone tries to login from foovax as jane, the foovax line without a username will be interpreted as jane on foovax, whereas if the line had included the username 'susan', it would (of course) still have been interpreted as susan on foovax. I don't think this has any bearing on security, though. > This time foosun reads ~bob/.rhosts (along with >/etc/hosts.equiv, rather pointlessly since susan is asking bob and >therefore nothing in hosts.equiv counts anyway---it is possible, but >stupid, to put user names in hosts.equiv since the same code is used, >but never mind that). Yes, it is utterly stupid indeed, since if the username susan is listed on the foovax line in /etc/hosts.equiv, it is taken to mean that susan on foovax is equivalent to *any and all* users on foosun (except those that have userid 0), i.e. susan on foovax can do rlogin foosun -l without password, for *any* that isn't superuser - this may have some bearing on security... - especially since some security advice calls for the abolishment of .rhosts files, and thus an administrator might perhaps be tempted to solve the "different username" problem using /etc/hosts.equiv... --Per Hedeland per@erix.ericsson.se or per%erix.ericsson.se@uunet.uu.net or ...uunet!erix.ericsson.se!per