19. The “r” commands
The “r” commands, known to be a regular source of system insecurities include rlogin, rsh, rexec, rcp, rwho, ruptime.
rlogin (for remote login) is a client program that provides remote terminal service similar to telnet, but does not require that the user type his or her username. If a user is logging in from a remote “trusted host”, the receiving system lets the user log on without a password.
rsh (for remote shell) is a client program that allows users to run a single command on the remote system. rsh can only work from trusted hosts or trusted users. (See hosts.equiv)
rexec (remote execution daemon) allows users to execute commands on other computers without having to log into them.
It is recommended that you restrict the use of “r” commands that aren’t specifically needed by:
If you must run the “r” commands, you can use more secure versions of these commands, like logdaemon 5.6 from available from the following site:
Check if you have a /etc/hosts.equiv file.
If you don’t need to run “r” commands or don’t need to explicitly trust other systems, you have no use for a hosts.equiv file and it should be removed. If you are running “r” commands, a /etc/host.equiv file allows other hosts to be trusted by your system. Programs such as rlogin can be used to log on to the same account name on your machine from a trusted machine without supplying a password.
If you do have a /etc/hosts.equiv file, you can protect yourself by:
limiting the number of trusted hosts, and/or only listing those hosts that are within your domain or under your control.
using fully qualified hostnames (for example, ws1.la.asu.edu, box2.eas.asu.edu).
checking that you do NOT have a ‘+’ entry listed by itself anywhere in the file.
checking that the first character of the file is not ‘ - ‘ .
checking that the permissions for the file are set to 600. (If not, chmod 600).
checking that the owner of the file is ROOT.
checking this file after installing any patches or operating system updates.
Check to see that no user has a .rhosts file in their home directories. Having .rhosts files in home directories can cause a greater security risk than having an /etc/hosts.equiv file, as each user can create one.
Create a cron script that regularly checks for, reports the contents of and deletes $HOME/.rhosts files.
Decide if there is a legitimate use of .rhosts file in a user’s home directory. If so, make sure the file is owned by the user.
Make sure there are no # ‘ or ‘ ! ‘ characters in this file. There is no comment character for this file.
The Secure Shell (Ssh) can also be set up as a complete replacement for the ‘r’ commands. The advantage here is that you get the convenience of using the ‘r’ commands, but none of the security risks.