Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!umd5!cvl!mimsy!chris
From: chris@mimsy.UUCP (Chris Torek)
Newsgroups: comp.unix.questions,comp.unix.wizards
Subject: Re: Transitivity of .rhosts
Message-ID: <9106@mimsy.UUCP>
Date: Mon, 26-Oct-87 09:51:14 EST
Article-I.D.: mimsy.9106
Posted: Mon Oct 26 09:51:14 1987
Date-Received: Thu, 29-Oct-87 21:22:20 EST
References: <697@rocky.STANFORD.EDU>
Organization: U of Maryland, Dept. of Computer Science, Coll. Pk., MD 20742
Lines: 23
Keywords: remote-access, rlogin, rsh, security
Xref: mnetor comp.unix.questions:4681 comp.unix.wizards:5138

In article <697@rocky.STANFORD.EDU> wagner@rocky.STANFORD.EDU (Juergen
Wagner) writes:
>If a user has accounts one more than one machine he/she can create
>~/.rhosts, specifying from which other users from which other hosts may
>login to this machine without having to specify passwords (trusted
>users). My question is: What is the opinion about the transitivity of
>this procedure, i.e. if A trusts B and B trusts C UNIX also believes
>that A trusts C.

That follows from the fact that if C can reach B, some user on C
can log in on B without entering a password; then that user on B
can log in on A without entering a password.  But since the trusted-
host mechanism is driven entirely by the receiver, there is no way
for C to contact A and say `B trusts me, and you trust B, so you
ought to trust me too'.

In any case, all network security systems that rely upon trust are
insecure unless the entire network is physically secure, something
that seems quite rare.  A good public-domain authentication system
would work wonders here....
-- 
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7690)
Domain:	chris@mimsy.umd.edu	Path:	uunet!mimsy!chris