Path: utzoo!attcan!uunet!lll-winken!ames!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: bates@stat.stat.wisc.edu (Douglas M. Bates)
Newsgroups: comp.sys.sun
Subject: Insecure Default of hosts.equiv
Message-ID: <8901092338.AA09322@bayes.stat.wisc.edu>
Date: 13 Jan 89 22:46:11 GMT
Sender: usenet@rice.edu
Organization: Sun-Spots
Lines: 23
Approved: Sun-Spots@rice.edu
Original-Date: Mon, 9 Jan 89 17:38:40 CST
X-Sun-Spots-Digest: Volume 7, Issue 102, message 7 of 18

Bernard Silver writes:

> A (hopefully) harmless intrusion brought to our notice the default
> /etc/hosts.equiv in 3.5 and 4.0 The default consists of a single "+",
> which in this context means ALL known hosts are trusted.

This can be a bad security hole in some configurations.  We run some of
the Annex terminal servers from Encore.  These machines do not require a
login/password combination for their initial connection from the terminal
and they allow the user to connect to another host through "rlogin".  For
example,

rlogin newhost -l myname

It appears (I've never studied the sources and I don't know exactly what
handshaking goes on in an rlogin) that "newhost" then asks the Annex if
this request is originating from the "myname" login.  The Annex always
replies "yes" and the rlogin is completed without password verification if
the Annex is regarded as a secure host.

If /etc/hosts.equiv on "newhost" consists of a single "+" then anyone with
access to a terminal on the Annex terminal server can rlogin without a
password to any login on "newhost".