barnett@grymoire.crd.ge.com (Bruce Barnett) (03/02/91)
The release notes of MacX 1.1 says there is a problem with Ultrix 4.0 and the rexecd daemon: You cannnot start a X client form the Mac side. Does anyone understand why there is a problem? Is there a new protocol or authentication done (aka Kerberos?). Which vendor should I flame? :-) -- Bruce G. Barnett barnett@crd.ge.com uunet!crdgw1!barnett
jtkohl@MIT.EDU (John T Kohl) (03/02/91)
In article <BARNETT.91Mar1130837@grymoire.crd.ge.com> barnett@grymoire.crd.ge.com (Bruce Barnett) writes: > The release notes of MacX 1.1 says there is a problem with Ultrix 4.0 > and the rexecd daemon... > Does anyone understand why there is a problem? Is there a new protocol > or authentication done (aka Kerberos?). Which vendor should I flame? :-) Flame the vendor of MacX for using rexecd. rexecd is an ancient daemon which asks for username and password in cleartext. Using it on an open network is not advisable. The workstations at MIT Project Athena don't run it. Nothing in 4.3BSD source calls the library routines which contact it. You shouldn't use it either. [rshd is slightly better, in that it doesn't let you type a password, but it does rely on IP addresses. They can be forged, but it takes more work than it does to steal a password.] -- John Kohl <jtkohl@ATHENA.MIT.EDU> or <jtkohl@MIT.EDU> Digital Equipment Corporation/Project Athena (The above opinions are MINE. Don't put my words in somebody else's mouth!)
barmar@think.com (Barry Margolin) (03/02/91)
In article <JTKOHL.91Mar1145729@quicksilver.MIT.EDU> jtkohl@MIT.EDU (John T Kohl) writes: >Flame the vendor of MacX for using rexecd. rexecd is an ancient daemon >which asks for username and password in cleartext. Using it on an open >network is not advisable. >[rshd is slightly better, in that it doesn't let you type a password, >but it does rely on IP addresses. They can be forged, but it takes more >work than it does to steal a password.] Rexec uses a cleartext password, so that's out. Rsh relies on knowing that a particular host is reasonably secure, so that's out for personal computer clients. What other widely-implemented remote execution protocol is there that MacX should have used instead? MacX is supposed to be install-and-go, so any solution that involves installing a Kerberized rshd is out. -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
smiles@ferrari.nmc.ed.ray.com (Kevin Ruddy) (03/05/91)
rexecd doesn't work and it's Ultrix's fault. I'm willing to bet that you're running in either UPGRADE or ENHANCED security mode. Basically, they haven't recompiled the daemon with the new security library. Take rexecd.c from 4.3 BSD, tweak, twiddle, and compile. (But I agree with John Kohl: MacX shouldn't be using rexec in the first place.) Kevin Ruddy smiles@ferrari.nmc.ed.ray.com
barnett@grymoire.crd.ge.com (Bruce Barnett) (03/05/91)
In article <JTKOHL.91Mar1145729@quicksilver.MIT.EDU> jtkohl@MIT.EDU (John T Kohl) writes: > Flame the vendor of MacX for using rexecd. Actually - someone told me to Flame DEC because of a bug in Ultrix 4.0 that is fixed in Ultrix 4.1. > [rshd is slightly better, in that it doesn't let you type a password, > but it does rely on IP addresses. They can be forged, but it takes more > work than it does to steal a password.] I don't quite agree. Anyone can unplug a machine that isn't in a locked room. And it's easier to change an IP address that it is to decode a password from several packets flying across a net. As long as the ethernet addess isn't cached it would be easier to crack rshd than rexecd. (Most people turn off their Mac's at night.) Also - the Mac's can select IP numbers dynamically. If this is done, rshd won't work. I will agree that Apple should support both protocols, like White Pine's X server for the Mac. -- Bruce G. Barnett barnett@crd.ge.com uunet!crdgw1!barnett