Path: utzoo!mnetor!uunet!husc6!tut.cis.ohio-state.edu!bloom-beacon!athena.mit.edu!wesommer
From: wesommer@athena.mit.edu (William E. Sommerfeld)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: rsh equivalent
Message-ID: <3647@bloom-beacon.MIT.EDU>
Date: 11 Mar 88 00:53:14 GMT
References: <23511@hi.unm.edu> <102@icarus.kulcs.uucp>
Sender: daemon@bloom-beacon.MIT.EDU
Reply-To: wesommer@athena.mit.edu (William E. Sommerfeld)
Organization: Massachusetts Institute of Technology
Lines: 21
Keywords: rsh
Summary: Sun == secure?  Are you kidding?

In article <102@icarus.kulcs.uucp> dannyb@kulcs.UUCP (Danny Backx) writes:
>If you need better authentication than BSD's r*, I think this may do :
>the rex-system uses the same "UNIX-style authentication" that the entire RPC
>package uses.

Have you actually looked at what `UNIX style authentication' is for
Sun RPC?

The client puts its hostname, userid and group set in the packet; the
server is expected to take the client's word for it, and usually does.

Calling Sun's rex, with UNIX style authentication, ``more secure than
rlogin'' is like calling a Medeco padlock on a paper bag more secure
than a Master padlock on a cardboard box.

Sun may have a `secured RPC' version of `rex' in release 4.0 which
would be more secure than rlogin/rsh, although not quite as secure as
a modified rsh using Kerberos (the MIT/Athena authentication system).

					Bill Sommerfeld
					MIT Project Athena.