~/.rhosts: put my username in there too?

[Per Hedeland]

In article <27236 at mimsy.umd.edu> chris at mimsy.umd.edu (Chris Torek) writes:
> B. foosun reads ~susan/.rhosts.
...
>    If no user name appears, foosun assumes this means susan on foovax.

I.e., there is no security advantage to adding 'susan' to the foovax line
in ~susan/.rhosts, which I believe is what the original poster thought too.

There is however one case where the presence of a username can make a
difference, namely if two or more users (=usernames) share a home directory
- e.g. there is another login 'jane' with the same home directory as susan,
and consequently ~jane/.rhosts is really the same file as ~susan/.rhosts. In
this case, if someone tries to login from foovax as jane, the foovax line
without a username will be interpreted as jane on foovax, whereas if the
line had included the username 'susan', it would (of course) still have been
interpreted as susan on foovax. I don't think this has any bearing on
security, though.

>  This time foosun reads ~bob/.rhosts (along with
>/etc/hosts.equiv, rather pointlessly since susan is asking bob and
>therefore nothing in hosts.equiv counts anyway---it is possible, but
>stupid, to put user names in hosts.equiv since the same code is used,
>but never mind that).

Yes, it is utterly stupid indeed, since if the username susan is listed on
the foovax line in /etc/hosts.equiv, it is taken to mean that susan on
foovax is equivalent to *any and all* users on foosun (except those that
have userid 0), i.e. susan on foovax can do rlogin foosun -l <user> without
password, for *any* <user> that isn't superuser - this may have some bearing
on security... - especially since some security advice calls for the
abolishment of .rhosts files, and thus an administrator might perhaps be
tempted to solve the "different username" problem using /etc/hosts.equiv...

--Per Hedeland
per at erix.ericsson.se  or
per%erix.ericsson.se at uunet.uu.net  or
...uunet!erix.ericsson.se!per