Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!clyde.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!apple!usc!samsung!noose.ecn.purdue.edu!ei.ecn.purdue.edu!irick
From: irick@ei.ecn.purdue.edu (GarBear Irick)
Newsgroups: comp.unix.questions
Subject: rlogin verification
Message-ID: <1991Jan6.010223.20099@noose.ecn.purdue.edu>
Date: 6 Jan 91 01:02:23 GMT
Sender: news@noose.ecn.purdue.edu (USENET news)
Organization: Purdue Society for Better Computing
Lines: 18

OK, this is for all you networking gods out there...

How does a machine accepting rlogin connections determine the username of
the user on the foreign host?  If it is sent by the foreign host, what
prevents anyone with a basic knowledge of sockets from writing a bogus
version of rlogin and faking the username, in order to take advantage of a
.rhosts, for example?  I've written some simple server/client stuff using
sockets, and the only way I could see to determine the username of the
incoming user was to have the client-side program send it to the server. 

Assuming someone has a clue, please reply via e-mail to the address below.
RTFM's gladly accepted... :)


--
Gary A. Irick,  Purdue University | "You can log out any time you like,
INTERNET: irick@en.ecn.purdue.edu |  But you can never leave!"
UUCP:     ...!pur-ee!irick        |       (apologies to The Eagles)