kurt@pprg.unm.edu (Kurt Zeilenga) (12/04/88)
In 1987, we experienced a bit of local abuse of the .rhost feature of rlogin/rsh/rcp. We found that by "taking root" on one public system (the system happened to be in a student laboratory), it was possible to take root on just about every other system on campus. Because of this, we (UNM-PPRG) decided to remove .rhosts nightly to increase security on our systems. This was a comprimise between always allowing or completely disabling the feature. We decided to allow temporary use of the feature (for doing rsh'ing) yet to "close" it up every evening. We also send notes to users who leave .rhosts around that they should removed them immediately after they are done with it. In recent weeks, I've been distributing this code to anyone who wants it. So, if you want my code, feel free to "anonymous" FTP to PPRG.UNM.EDU (192.31.154.1, 129.24.13.10) and get the file ~ftp/pub/rhost.shar (use sh < rhost.shar to unarchive). Kurt Zeilenga
bandy@well.UUCP (Andrew Scott Beals) (12/06/88)
Another solution to the .rhosts problem, which I implemented
when I was at Lawrence Livermore back in '86 was to require a
recent login on the account that you wish to use rlogin/rsh/rcp
to before the .rhosts file can be valid. This helps to solve the
problem of people leaving .rhosts files lying around and then
forgetting them when a "friendly" site turns hostile.
--
for those of you who don't trust the headers:
bandy@lll-crg.llnl.gov or {pacbell,lll-winken,hoptoad,hplabs,apple}!well!bandy