rlogin - security question

From: sunguy@cyrion.net
Date: Fri May 09 2003 - 22:20:05 EDT

• Next message: John DiMarco: "IMPORTANT: Read this before posting to Sun-Managers"
• Previous message: michael.auria@philips.com: "Re: SUMMARY: no time for RTFM"
• In reply to: Angel L. Mateo: "dual homed server"
• Next in thread: sunguy@cyrion.net: "UPDATE Re: rlogin - security question [expanded to smartcard technology]"
• Reply: sunguy@cyrion.net: "UPDATE Re: rlogin - security question [expanded to smartcard technology]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

        Every basic computer book or security book I've ever read always
mentions the importance of having passwords, and not allowing accounts
without passwords. Newer security books mention the importance of running
(at least all system administration) remote connections through ssh.

        At my company (not disclosed, am emailing from alternate email),
we are required to allow rlogin access to all by means of .rhosts files.
In addition, everyone's account is locked *LK*, so they cannot login to a
box without a .rhosts.

        This seems like a bug / security problem in soalris. A locked
account should NOT be allowed to login. I have just recently upgraded to
the latest patch level: 5.8 Generic_108528-20, which seemes to have fixed
this bug by changing /etc/pam.conf. However this patch doesnt mention
anything about rlogin. It's actually for ldap. [ 108993-18 SunOS 5.8:
LDAP2 Patch ].

        Our CIO believes that it is better to NOT have passwords, because
if a user has a password, it can be compromised. However in our setup, a
potential intruder does not even need to attempt to compromise a password.
Once he is in the network, he is granted free reign via existing rhosts on
every account across multiple boxes..

THE QUESTION:

I would like to know if there is any hard documentation from SUN anywhere
that effectively argues this fact (requiring passwords). Additionally, I
'd like to see something arguing in favor of ssh over rlogin, and finally
the removal of .rhosts files.

I would also like to know if the allowance of locked ( *LK* ) accounts to
log into a system via .rhosts is an intentional "feature" or if it is a
bug that nobody has noticed.

I appreciate any assistance on this as I have been unable to find any
"official" documentation on this, with the exception of o'reilly books,
and what not. I think an official stance from sun is the only thing that
may sway him.

- SUNGuy

PS.

If anyone is in this situation and upgrades to 5.8 Generic_108528-20,
patch 108993-18 is included in that patch cluster and moves your original
/etc/pam.conf to pam.conf.pre108993-18. Simply moving it back will
restore previous operations.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: John DiMarco: "IMPORTANT: Read this before posting to Sun-Managers"
• Previous message: michael.auria@philips.com: "Re: SUMMARY: no time for RTFM"
• In reply to: Angel L. Mateo: "dual homed server"
• Next in thread: sunguy@cyrion.net: "UPDATE Re: rlogin - security question [expanded to smartcard technology]"
• Reply: sunguy@cyrion.net: "UPDATE Re: rlogin - security question [expanded to smartcard technology]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:26:23 EDT