jand@maestro.htsa.aha.nl (Jan Derriks) (03/09/90)
> What About Those People > Who Continue to Ask Stupid or Frequently Asked Questions I suppose I'll be one of those now: A student was so smart as to make a .rhosts file in uucppublic and thus being able to work under uid=uucp. Fixing this, my collegue said it's always possible to 'break in' a users account by talking the right protocol to rlogind (if a .rhosts exists). Just say your 'billy' and start a remote shell as user 'billy'. Is it so easy ? How is the rlogin protocol protected against this ? > >Just send them a polite mail message, possibly referring them to this document. >There is no need to flame them on the net - it's busy enough as it is. > Thanx. -- Jan Derriks | AHA-TMF (H.T.S. 'Amsterdam'), jand@maestro.htsa.aha.nl | Europaboulevard 23, (or ..hp4nl!htsa!jand) | 1079 PC Amsterdam, phone: +31 20423827 | the Netherlands.
barmar@think.com (Barry Margolin) (03/11/90)
In article <1562@maestro.htsa.aha.nl> jand@maestro.htsa.aha.nl (Jan Derriks) writes: > Just say your 'billy' and start a remote shell as user 'billy'. >Is it so easy ? How is the rlogin protocol protected against this ? Rlogind requires that the source port of the connection be in the range from 512 to 1023, and Unix only allows root to open connections like this; rlogin is setuid to root, and it always specifies the correct local user name. So long as Billy's .rhosts file only lists Unix hosts on which he trust the superuser he's relatively safe. However, if there are any completely insecure systems (such as PC's) on the subnet then there can be problems due to address spoofing, which renders the host names in the .rhosts file ineffective. -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar