Date: Sun, 19 Nov 1995 12:21:34 +0800 (WST) From: Peter Wemm <peter@jhome.DIALix.COM> To: current@freebsd.org Subject: rlogind wont allow root without password... rshd will. Message-ID: <Pine.BSF.3.91.951119120853.16172F-100000@jhome.DIALix.COM>
next in thread | raw e-mail | index | archive | help
I think this is a bug.. As root: I can do "rsh freebsdmachine sh -i" and get a root shell. I cannot do a "rlogin freebsdmachine" - it asks for a password. I think this is a futile attempt at "security-through-inconvenience" (worse than the infamous security-through-obscurity) as it achieves nothing but force people to use the non-wtmp-logged facility. rlogind (as in 4.4BSD) has a test for UID==0 to disable the .rhosts check, forcing the root password to go over the net in the clear. This IMHO is a bigger risk than the existing vouch-safe security. If a site is deliberatly allowing root to have a .rhosts file then they should be allowed to shoot their own foot if they haven't made enough safeguards. Note that FreeBSD has a random number mixed into the tcp iss variable, which makes IP spoofing at least several orders of magnitude harder to do. Having somebody sniff the root password is a far bigger risk than a successful IP spoofing attack. I'd like to take the test out... Have I forgotten something? Objections? (Yes, I know about ssh... :-) -Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.951119120853.16172F-100000>