*BSD News Article 80896


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mira.net.au!news.vbc.net!samba.rahul.net!rahul.net!a2i!news.PBI.net!news.mathworks.com!newsfeed.internetmci.com!netnews.nwnet.net!nwnet.net!not-for-mail
From: aad@nwnet.net (Anthony Talltree)
Newsgroups: comp.unix.bsd.bsdi.misc
Subject: Re: Rdist
Date: 16 Oct 1996 17:40:02 -0700
Organization: NorthWestNet, Bellevue, WA, USA, Earth
Lines: 10
Message-ID: <543v92$o7f@olympus.nwnet.net>
References: <325F07C9.6DC0@lynx.bc.ca> <53pocr$8ov@nntp.igs.net>
Reply-To: aad@nwnet.net
NNTP-Posting-Host: olympus.nwnet.net

>If someone sees a glaring security hole in this; let me know)

Plain .rhosts authentication can be broken by spoofing the remote IP address.
Ultrix, for example, requires that hosts in .rhosts files be in /etc/hosts,
and does not interpret # as a comment character in .rhosts.

Use rdist 6.1.2+, and use SSH as the transport instead of rexec().