Just Say No to rlogin

Linux systems support a third popular text-mode remote login tool, known as rlogin (the server is called rlogind). This program works on the trusted hosts authentication model, meaning that the server trusts hosts with specified IP addresses. As a user, you can create a file called .rhosts in your home directory, or root can create a file called /etc/hosts.equiv. These files contain lists of trusted client systems. Users of these clients can connect using no password or other authentication system.

The lack of passwords makes using rlogin convenient. Unfortunately, the trusted hosts security model is extremely risky. IP addresses can be spoofed, particularly if an attacker has physical access to your local network. The lack of any form of authentication means that if a network relies heavily upon rlogin, a compromise of one system translates quickly into a compromise of all systems. In addition, rlogin doesn't encrypt data, so it has all of the security problems of Telnet in addition to its own unique flaws. For these reasons, I strongly recommend that you not use rlogind. Look for a file called rlogind or in.rlogind on your system (it's most likely to be in /usr/sbin). If it's present, delete the file, or delete the package that installed it. (Unfortunately, Slackware ships its in.rlogind in the same tcpip package that holds so many critical TCP/IP programs, so deleting this entire package isn't advisable for Slackware.)

Team LIB

Team LIB

^ previous

0 0

Post a comment