current-users: Re: Recovering from /usr loss

Subject: Re: Recovering from /usr loss
To: Jay Maynard <jmaynard@texas.net>
From: Luke Mewburn <lukem@cs.rmit.edu.au>
List: current-users
Date: 04/06/1999 15:27:49

Jay Maynard writes:
> On Sun, Apr 04, 1999 at 12:14:03PM -0700, Jonathan Stone wrote:
> > >So how do I get out of this with the things that are provided in
> > >/bin and /sbin?
> > /bin/rcp.
> 
> Not on my network, you don't. One fo the things I do after installing a
> system is disable all the r* protocols, as a security hole. (All it takes is
> one + in the wrong place, put there by a well-meaning user, and the whole
> network becomes insecure.)

Are you aware of the `-l' flag to rlogind and rshd? It prevents
.rhosts working for non-root, so you can setup /etc/hosts.equiv
for `trusted' hosts, and not have to worry about your users setting
up a dodgy .rhosts.

ssh supports similar functionality with:
	IgnoreRhosts		yes
	IgnoreRootRhosts	no


Luke.