Path: utzoo!mnetor!uunet!mcvax!prlb2!kulcs!dannyb From: dannyb@kulcs.uucp (Danny Backx) Newsgroups: comp.protocols.tcp-ip Subject: Re: rsh equivalent Message-ID: <1188@kulcs.kulcs.uucp> Date: 14 Mar 88 11:23:44 GMT References: <23511@hi.unm.edu> <102@icarus.kulcs.uucp> <3647@bloom-beacon.MIT.EDU> Reply-To: dannyb@kulcs.UUCP (Danny Backx) Organization: Katholieke Universiteit Leuven, Dept. Computer Science Lines: 44 Keywords: rsh Summary: not inherently unsafe In article <3647@bloom-beacon.MIT.EDU> wesommer@athena.mit.edu (William E. Sommerfeld) writes: >In article <102@icarus.kulcs.uucp> dannyb@kulcs.UUCP (Danny Backx) writes: >>If you need better authentication than BSD's r*, I think this may do : >>the rex-system uses the same "UNIX-style authentication" that the entire RPC >>package uses. > >Have you actually looked at what `UNIX style authentication' is for >Sun RPC? > >The client puts its hostname, userid and group set in the packet; the >server is expected to take the client's word for it, and usually does. I know the original system from Sun is far from secure. You can make it MUCH better, though. You can always check : 1) does the client have a port nr. < 1023 If not, throw this request away 2) is the host the client is sending from one of a selected set of 'trusted' machines. If not, throw this request away I can think of two possible ways to break into this : 1) put a machine on the net who believes he is somebody else This can be detected by the other machines, though, especially the one that the fraud pretends to be. 2) the user trying to break in already broke the protection on the machine he is sending from. I don't think defense against this is possible. I'm sure Kerberos is better... I only wanted to state that rex could be used. Danny Backx -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Danny Backx | mail: Katholieke Universiteit Leuven Tel: +32 16 200656 x 3537 | Dept. Computer Science E-mail: dannyb@kulcs.UUCP | Celestijnenlaan 200 A ... mcvax!prlb2!kulcs!dannyb | B-3030 Leuven dannyb@kulcs.BITNET | Belgium