Great Circle Associates Firewalls
(September 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: RSH name lookups
From: Brent Chapman <brent @ GreatCircle . COM>
Date: Wed, 22 Sep 1993 19:08:16 -0700
To: Steve Kennedy <steve @ gbnet . org>
Cc: Firewalls @ GreatCircle . COM
In-reply-to: Your message of Thu, 23 Sep 93 0:53:49 GMT

# What is the defined way of performing RSH authentication ?

Whatever the Berkeley source code for "rsh" and "in.rshd" does.

# If I have a PC which does an rsh or rexec to a UN*X host (currently not
# running DNS, but shortly will). How should the UN*X host authenticate
# the remote rsh/rexec.

The REAL first question is how will the PC authenticate the user?  rsh
operates on a "trusted machine" principle: if an apparently legitimate
rsh request comes from a trusted machine, then the rsh server accepts
the trusted machine's word for who the user is.

An "apparently legitimate" request from a trusted host is one that
comes from a client TCP port number below 1024 on that trusted host.
On Berkeley UNIX systems, only processes running as "root" can bind to
ports below 1024; therefore, the request must be coming from "root" or
some program (such as rsh, which is setuid-root) running with root's
permissions.

On a PC, you don't have any of this; there's only one user, and that
user can use any port they damn well please.  Even on a workstation,
if someone has physical access to the machine (so they can plug in an
alternate disk to boot it from) or its console (so they can drop it
into single-user mode or play with the bootstrap routine or whatever),
you can't really trust root on that machine.

These are some of the reasons that "rsh" is really not too useful as a
security mechanism.  If you want security, use TELNET; it doesn't
presume any trustworthieness on the part of the client.  If you want
more security, or can't live without "rsh", use Kerberos; that's a lot
of work, though.

# Should the UN*X host also do a reverse name lookup - to ensure the NAME
# translates back to the IP address that the request has come from.

I would.

# Is this in an RFC ?

Not as far as I know; like I said, the "reference" is the Berkeley
"rsh" and "in.rshd" source code, available for anonymous FTP from
FTP.UU.NET, directory systems/unix/bsd-sources/usr.bin/rsh; I'm not
sure where the source for "rshd" is there, but it's probably around
there somewhere.


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041


Indexed By Date Previous: RSH name lookups
From: Steve Kennedy <steve @ gbnet . org>
Next: Re: Access control for SMTP?
From: smb @ research . att . com
Indexed By Thread Previous: RSH name lookups
From: Steve Kennedy <steve @ gbnet . org>
Next: re: RSH name lookups
From: Ray Hunter ECD <RHUNTER%ESOC . BITNET @ vm . gmd . de>

Google
 
Search Internet Search www.greatcircle.com