Bugtraq mailing list archives
Re: ruserok() & /etc/hosts.equiv
From: walkera () druggist gg caltech edu (Walker Aumann)
Date: Tue, 03 May 1994 15:01:08 PDT
Try rsh'ing into an account that doesn't have a .rhosts while there is a + in hosts.equiv. Does this work?
It seems to work as long as you don't have to change usernames. If you try changing usernames (rsh remote -l username), then it denies access.
Maybe Sun broke ruserok() to ignore the hosts.equiv file because it has no real usage. If ruserok() doesn't work in a sample c program (checking to see if hello.world.com is allowed in, etc) then, at least I thought, that it wouldn't work in a larger program such as the 'r' commands. Unless they use some other method of authentication in addition to ruserok(). Maybe I'll dig up my net/2 sources and check out that version of ruserok(). Be sure to try it with a valid host name too. Get back to me on this.
Bogus hostnames get denied access, even with the same username. It seems that the only breakage is that if there is a '+' in the hosts.equiv file, it ignores users' .rhosts files, except that rlogin and rsh let people in from any host as long as the same username is used. Now, I think that it would be great to have the option of turning off .rhosts usage, rather than having to police every user's .rhosts file, but this isn't it.
Current thread:
- Re: ruserok() & /etc/hosts.equiv Carl Corey (May 03)
- <Possible follow-ups>
- Re: ruserok() & /etc/hosts.equiv Carl Corey (May 03)
- Re: ruserok() & /etc/hosts.equiv Walker Aumann (May 03)
- Re: ruserok() & /etc/hosts.equiv Uwe Ellermann (May 04)
- Re: ruserok() & /etc/hosts.equiv Wietse Venema (May 21)
- AIX rlogind peter () freedom nmsu edu (May 21)
- Re: AIX rlogind Peter Wemm (May 21)
- Re: AIX rlogind Kevin Johnson (May 22)
- Re: AIX rlogind Casper Dik (May 22)
- Re: AIX rlogind Kevin Johnson (May 22)
- Re: AIX rlogind Casper Dik (May 22)
- Re: AIX rlogind Peter Wemm (May 22)
- Re: AIX rlogind matthew green (May 22)