jkg@prism.gatech.EDU (Jim Greenlee) (10/05/90)
Can anybody tell me how to define a tty port as being "secure" on a 3B2/310? We're running SVR 3.2 and WIN TCP/IP 3.0.1. We recently upgraded from SVR 3.0 and WIN TCP/IP 1.1, which permitted rlogin or telnet as root. I can't see any way to do this with the current version of the software. I have about eight machines all RFSed together, and it's a real pain trying to administer them without being able to log in as root from anything other than the console. Any help would be appreciated (please don't lecture me on system security - I am fully aware of the risks involved). Jim Greenlee -- Jim Greenlee - Instructor, School of ICS, Georgia Tech jkg@cc.gatech.edu Jryy, abj lbh'ir tbar naq qbar vg! Whfg unq gb xrrc svqqyvat jvgu vg hagvy lbh oebxr vg, qvqa'g lbh?!
lyndon@cs.athabascau.ca (Lyndon Nerenberg) (10/06/90)
jkg@prism.gatech.EDU (Jim Greenlee) writes: >Can anybody tell me how to define a tty port as being "secure" on a >3B2/310? We're running SVR 3.2 and WIN TCP/IP 3.0.1. We recently upgraded >from SVR 3.0 and WIN TCP/IP 1.1, which permitted rlogin or telnet as root. >I can't see any way to do this with the current version of the software. It's hard wired into the login program! There is a #define in the source that turns it on and off. I wanted to disable this, so I recompiled /bin/login and tryed to rlogin as root. Much to my disgust, I discover that telnet and rlogin do not use /bin/login, nut rather use /usr/etc/netlogin. Of course we don't have source for the latter. Running emacs on the netlogin binary shows it to be the BSD login command, with the usual WIN breakage thrown in. If you have source, I highly recommend you replace telnetd, rlogind, and /bin/login with the BSD versions. Beware that ruserok() in libnet.a is broken (as is rresvport()), so you'll want to link in replacement versions from BSD as well. -- Lyndon Nerenberg VE6BBM / Computing Services / Athabasca University {alberta,cbmvax,mips}!atha!lyndon || lyndon@cs.athabascau.ca The only thing open about OSF is their mouth. --Chuck Musciano
craig@attcan.UUCP (Craig Campbell) (10/10/90)
With regards to being able to access "root" on various systems via a TCP link,
I would like to suggest the following scenario.
WARNING: This does not require SOURCE CODE or Kernel rebuilds, so those
who prefer difficult solutions, hit 'n' now. 8-)
First, you must be root on the system you are starting on. Log in as anyone
and then su. This is the only su you will require. Now on any other system
you wish to rlogin to, there must exist an entry for your current system in
both /etc/hosts and /.rhosts.
That's it. That's all. Good luck, have fun, etc....
(P.S. I am not a TCP/IP guru, this is just standard practice. It will work
for any user, not just root. It would appear that rlogin first
translates your current id to a login name, and then checks on the
destination host for a) that login name and b) a valid entry in the
.rhosts file in the home directory of that login. If the check
succeeds, then you're in without a login or passwd check.)
craig
Better to remain silent and be thought a fool,
than to open your mouth and remove all doubt.
- I have no idea.geoff@edm.uucp (Geoff Coleman) (10/11/90)
From article <12695@vpk2.UUCP>, by craig@attcan.UUCP (Craig Campbell): > > > With regards to being able to access "root" on various systems via a TCP link, > I would like to suggest the following scenario. > > WARNING: This does not require SOURCE CODE or Kernel rebuilds, so those > who prefer difficult solutions, hit 'n' now. 8-) > > First, you must be root on the system you are starting on. Log in as anyone > and then su. This is the only su you will require. Now on any other system > you wish to rlogin to, there must exist an entry for your current system in > both /etc/hosts and /.rhosts. The problem with this is called security. If a user finds root password on one machines he now has access to root on all machines that have the corresponding /.rhosts. At least with the 386 Unix you can get rid of the console only root login by editing /etc/defaults/login. Geoff Coleman > (P.S. I am not a TCP/IP guru, this is just standard practice. It will work ^^^^^^^^ At what sites? > Better to remain silent and be thought a fool, > than to open your mouth and remove all doubt. > - I have no idea. pps. Where's the disclaimer Craig (or are these Ma bell's words)?
craig@attcan.UUCP (Craig Campbell) (10/11/90)
In article <1990Oct11.051428.28517@edm.uucp> geoff@edm.uucp (Geoff Coleman) writes: >From article <12695@vpk2.UUCP>, by craig@attcan.UUCP (Craig Campbell): >> With regards to being able to access "root" on various systems via a TCP link >> First, you must be root on the system you are starting on. Log in as anyone >> and then su. This is the only su you will require. Now on any other system >> you wish to rlogin to, there must exist an entry for your current system in >> both /etc/hosts and /.rhosts. > The problem with this is called security. If a user finds root >password on one machines he now has access to root on all machines that have >the corresponding /.rhosts. No argument here, the /.rhosts setup is a security risk. However, the original requst was not for a security annalysis, but rather a "Rats, I can't do this and really want to be able to...". >Geoff Coleman >> (P.S. I am not a TCP/IP guru, this is just standard practice. It will work ^^^^^^^^ >At what sites? Standard TCP/IP practice (i.e. the rlogin .rhosts stuff). Whether a sysop chooses to use this feature is entirely his/her concern. >pps. Where's the disclaimer Craig (or are these Ma bell's words)? Isn't Ma bell an alias for Bell Canada? How could I possibly be speaking for Bell Canada? (Never worked there, although I use their services. 8-)) If you are refering to AT&T Canada, I am not empowered or enclined to speak for them. Anyone who beleives that a signature, without reference to title or organization, implies a statement of company opinion or policy, will get the confusion they deserve (IMHO). craig P.S. Nice to hear from you again! New net feed, or have you just been quiet for a while? You should have answered the rlogin question, not me, since you have far more TCP/IP experience than I!! :-) Later Bud!!! craig