# What is the defined way of performing RSH authentication ?
Whatever the Berkeley source code for "rsh" and "in.rshd" does.
# If I have a PC which does an rsh or rexec to a UN*X host (currently not
# running DNS, but shortly will). How should the UN*X host authenticate
# the remote rsh/rexec.
The REAL first question is how will the PC authenticate the user? rsh
operates on a "trusted machine" principle: if an apparently legitimate
rsh request comes from a trusted machine, then the rsh server accepts
the trusted machine's word for who the user is.
An "apparently legitimate" request from a trusted host is one that
comes from a client TCP port number below 1024 on that trusted host.
On Berkeley UNIX systems, only processes running as "root" can bind to
ports below 1024; therefore, the request must be coming from "root" or
some program (such as rsh, which is setuid-root) running with root's
On a PC, you don't have any of this; there's only one user, and that
user can use any port they damn well please. Even on a workstation,
if someone has physical access to the machine (so they can plug in an
alternate disk to boot it from) or its console (so they can drop it
into single-user mode or play with the bootstrap routine or whatever),
you can't really trust root on that machine.
These are some of the reasons that "rsh" is really not too useful as a
security mechanism. If you want security, use TELNET; it doesn't
presume any trustworthieness on the part of the client. If you want
more security, or can't live without "rsh", use Kerberos; that's a lot
of work, though.
# Should the UN*X host also do a reverse name lookup - to ensure the NAME
# translates back to the IP address that the request has come from.
# Is this in an RFC ?
Not as far as I know; like I said, the "reference" is the Berkeley
"rsh" and "in.rshd" source code, available for anonymous FTP from
FTP.UU.NET, directory systems/unix/bsd-sources/usr.bin/rsh; I'm not
sure where the source for "rshd" is there, but it's probably around
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041