[buug] rlogin
John Landahl
john at landahl.org
Fri Nov 22 13:27:00 PST 2002
On Friday 22 November 2002 01:22 pm, Rick Moen wrote:
> Quoting John Landahl (john at landahl.org):
> > It's not that it's not recommended, it's more that it SHOULD SIMPLY
> > NEVER BE USED. In previous sysadmin jobs we used to seek and destroy
> > .rlogin and hosts.equiv files as a matter of policy.
>
> Isn't it simpler just to make sure rshd and rlogind are disabled?
Ideally both actions are necessary, in case someone (or something) turns on
rshd/rlogind at some point. Even better would be to remove the r* tools
from the system altogether so that isn't even possible. But IIRC Solaris
includes them in one of its basic system packages, making for an annoyance
if you do remove them and later (possibly regularly) test the validity of
installed packages.
> Oddly, enough, most implementations have a Kerberos option. Not that
> that is sufficient, but I thought I'd just mention it.
At least on the Sun side of things, as of Solaris 8 (again, IIRC) they were
still, inexplicably, using Kerberos IV. KerbV is more than sufficient, but
of course takes a great deal more work to set up (and maintain) than SSH.
--
John Landahl | http://landahl.org/john
john at landahl.org | ICQ: 11191999
More information about the buug
mailing list