Subject: Re: kerberos & rshd/rlogind vs. our inetd.conf
To: Ed Ravin <>
From: Thor Lancelot Simon <>
List: tech-security
Date: 09/23/2005 11:20:14
On Fri, Sep 23, 2005 at 10:42:00AM -0400, Ed Ravin wrote:
> On Fri, Sep 23, 2005 at 04:40:27AM +0200, Hubert Feyrer wrote:
> > 
> > it seems that rshd and rlogind don't support neither kerberos nor the '-k' 
> > option these days, but still we have these lines in inetd.conf:
> > 
> > #       Kerberos authenticated services
> > #
> > #klogin         stream  tcp     nowait  root    /usr/libexec/rlogind    
> > rlogind
> > -k
> > #eklogin        stream  tcp     nowait  root    /usr/libexec/rlogind    
> > rlogind
> > -k -x
> > #kshell         stream  tcp     nowait  root    /usr/libexec/rshd       
> > rshd -k
> > 
> > What to do - remove from inetd.conf? Or are there working alternatives?
> Note that these services, even when they work, are only Kerberos-AUTHENTICATED.
> The password is encrypted, but the data stream is still sent in the clear.

That's not correct.  All of the servers in question can operate in
either an authenticated-only or an authenticated-and-encrypted mode (note
the "rlogind -k -x" in one of the lines quoted above.

However, it's seriously questionable whether we want to turn them on,
at least all of them.  They encrypt but don't authenticate the connection
data (the wire protocols were designed before the importance of this was
entirely understod, and kerberos "pcbc" mode doesn't do what is wanted
here), and, worse, in the case of rsh, the command to be executed, itself,
is not authenticated, providing an obvious vector for attack.

 Thor Lancelot Simon	                            

"The inconsistency is startling, though admittedly, if consistency is to be
 abandoned or transcended, there is no problem."		- Noam Chomsky