paul@bcsfse.UUCP (Paul Hardiman) (09/08/89)
What is format for sequent .netrc. I could not find the man page for netrc although the file was mentioned in the man page for rexec. I tried variations of Apollo's format, but so far blank. Thanks.-- Paul Hardiman ...!uw-beaver!ssc-vax!voodoo!bcsfse!paul The above views are strictly my own. ============================================================
pwolfe@kailand.KAI.COM (09/11/89)
> Written by paul@bcsfse.UUCP > What is format for sequent .netrc. > I could not find the man page for netrc > although the file was mentioned in the man page for rexec. The format for .netrc is: hostname username password The .netrc file is used by telnet and ftp (and apparently, rexec), to allow frequent users of other machines to avoid having to type logins and passwords everytime they login. I consider it a very bad security practice to place passwords in a file, no matter what the file permissions are, but some people just won't be convinced about this. This is exactly the type of thing that trojan horses, worms and such use to find accounts and passwords on other machines. I suspect that there is no manpage for ".netrc" because Sequent would prefer that customers reduce their risks by not knowing about it. In any case, I've never used rexecd, and wonder about whether it works at all. According to the manpage for "rexecd", the password is transmitted in "encrypted" form. I assume this means it is encrypted on the originating machine, using the salt from the user's password on that machine. When it gets checked on the target machine, isn't the salt and the whole encrypted password likely to be completely different? I'll bet the documentation is wrong. Patrick Wolfe (pat@kai.com, kailand!pat) System Manager, Kuck & Associates, Inc.
rsk@boulder.Colorado.EDU (Rich Kulawiec) (09/15/89)
In article <2400066@kailand> pwolfe@kailand.KAI.COM writes: >The format for .netrc is: > hostname username password > >The .netrc file is used by telnet and ftp (and apparently, rexec), to allow >frequent users of other machines to avoid having to type logins and passwords >everytime they login. [...] I suspect that there is no manpage for ".netrc" >because Sequent would prefer that customers reduce their risks by not >knowing about it. Perhaps some of the confusion has been caused by the re-use of the .netrc file...once upon a time, when Berknet was the network that BSD sites used (eg. "netcp" et.al.) the .netrc file held some configuration info for Berknet commands. (I believe that there was also a way to put an encrypted version of your password into your environment, in order to avoid having to type it frequently and/or storing it in plaintext somewhere.) Well, Berknet is long dead, and the .netrc file is now used by ftp & Co. Here's an example from mine: machine a.cs.uiuc.edu login anonymous password rich This allows me to use anonymous FTP to a site at Illinois without being prompted for the username or password; since anonymous FTP accepts any password, this isn't much of a security hole. Of course, were this an entry for a "real" account, including the password in plaintext would be a Bad Thing. -- Rich Kulawiec