Path: utzoo!mnetor!uunet!hsi!stevens
From: stevens@hsi.UUCP (Richard Stevens)
Newsgroups: comp.unix.wizards
Subject: remote command execution & passwords
Message-ID: <860@hsi.UUCP>
Date: 24 Feb 88 22:37:24 GMT
Organization: Health Systems Intl., New Haven, CT
Lines: 53
Keywords: rcmd, rexec, crypt

I see three ways for an arbitrary C program to execute a program on
another system and communicate with it:

(1) Use rexec(3).  Doing this requires that the user's unencrypted
    password be explicitly passed to rexec.  This can be done
	(a) explicitly pass it as an argument to rexec;
	(b) have all users make a .netrc file that is read-only to
	    them, containing their unencrypted password;
	(c) have all users of the program prompted for their password
	    whenever they run the program.

(2) Use rcmd(3).  Using this obviates the need to communicate passwords
    between the two systems, however the program that calls rcmd
    must be suid to root (in order for rcmd to be able to get a
    privileged port).

(3) Use the rsh(1) command as follows.  Have the C program create
    2 pipes, then fork.  The child process then exec's /usr/ucb/rsh
    with the name of the program to execute on the other system as
    an argument to rsh.  The pipes from the parent process are used
    for rsh's stdin and stdout, and rsh communicates with the
    process on the other system through a socket (or two).
    The problem with this is that all the data being transferred
    between the two programs on the two systems (through the socket)
    must also go through a pipe through the rsh program that's in the
    middle.

It appears that if you don't want to live with the unencrypted password
restrictions of rexec, and don't want a lot of suid-root programs,
option (3) is all that's left.  Am I missing something ??

Another related question:
------------------------
While going through the source for rexec I found a function ruserpass()
that called a function renv() that did the following:  If you have an
environment variable of the form

	MACH<host>=<username>,<cpassword>

then if you're communicating with the specified <host>, it will set
the corresponding <username> as the argument to be passed to the
rexecd on the host.  Also, it takes the supposedly encrypted <cpassword>
and turns it into "clear text" by calling a function nbsdecrypt() that's
also in the file.  This clear text password is then passed to the rexecd
on the other host.  The comment at the top of this code is that it
is "nbs.c stolen from Berknet".  I can't find any reference to this
MACH... environment variable in any of the man pages, and can't
understand how it can claim to unencrypt a password.  Anyone know
what's going on here ??  Thanks.

	Richard Stevens
	Health Systems International, New Haven, CT
           { uunet | ihnp4 } ! hsi ! stevens