Bugtraq mailing list archives
Re: rshd gives away usernames
From: kalt () STEALTH NET (Christophe Kalt)
Date: Sat, 14 Jun 1997 18:22:02 -0400
ssh also has this problem. The line "Remote: Rhosts/hosts.equiv authentication refused: client user 'kalt', server user 'kalt', client host 'millennium.stealth.net'." only appears when the account exists. (need to run in verbose mode) This might not the case if the remote sshd doesn't allow this particular kind of authentication. I didn't check for other schemes. On Jun 13, David Holland wrote: | Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'. | The error reported is different. | | Therefore, it's possible to determine which account names are valid. | This is an issue only for particularly paranoid sites that probably | already have rshd disabled, but I thought it would be worth issuing a | warning anyway.
Current thread:
- Re: Netscape Exploit, (continued)
- Re: Netscape Exploit Manoj Kasichainula (Jun 15)
- rshd gives away usernames David Holland (Jun 13)
- Re: rshd gives away usernames Erik Troan (Jun 13)
- Re: rshd gives away usernames Eric (Jun 13)
- Re: rshd gives away usernames Todd C. Miller (Jun 13)
- Re: rshd gives away usernames Alan Brown (Jun 14)
- Changing default UMASK for all daemons Dax Kelson (Jun 13)
- Re: Changing default UMASK for all daemons Joe Traister (Jun 14)
- Re: Changing default UMASK for all daemons Michael Helm (Jun 14)
- Re: Changing default UMASK for all daemons Tomasz R. Surmacz (Jun 16)
- Re: rshd gives away usernames Christophe Kalt (Jun 14)
- Netscape update on their web site Robert Watson (Jun 13)
- Re: Netscape update on their web site Manoj Kasichainula (Jun 13)
- Netscape Exploit... with technical details. Rusty Conover (Jun 13)
- Security Bulletins Digest Aleph One (Jun 13)