How safe is rlogin protocol ?
Barry Margolin
barmar at think.com
Sun Mar 11 05:12:07 AEST 1990
In article <1562 at maestro.htsa.aha.nl> jand at maestro.htsa.aha.nl (Jan Derriks) writes:
> Just say your 'billy' and start a remote shell as user 'billy'.
>Is it so easy ? How is the rlogin protocol protected against this ?
Rlogind requires that the source port of the connection be in the range
from 512 to 1023, and Unix only allows root to open connections like this;
rlogin is setuid to root, and it always specifies the correct local user
name. So long as Billy's .rhosts file only lists Unix hosts on which he
trust the superuser he's relatively safe. However, if there are any
completely insecure systems (such as PC's) on the subnet then there can be
problems due to address spoofing, which renders the host names in the
.rhosts file ineffective.
--
Barry Margolin, Thinking Machines Corp.
barmar at think.com
{uunet,harvard}!think!barmar
More information about the Comp.unix.questions
mailing list