/etc/hosts.equiv verses $HOME/.rhosts

[Milton D Miller]

In article <430 at cfa.HARVARD.EDU> wyatt at cfa.HARVARD.EDU (Bill Wyatt,OIR) writes:
>>>[...]  Could some kind sole tell me why using $HOME/.rhosts 
>>>is unsafe and why /etc/hosts.equiv is safe?  
>
>> [...]  I wouldn't use hosts.equiv for any reason and rhost should
>> only be readable by you.  To increase security you may want to have
>> the rhost in place only when you are doing work.
>
>Yes! We use crontab and find(1) once a day on our systems to remove
>ALL .rhosts files. The users may reconstitute their .rhosts files each
>day, of course, but are encouraged to put a `rm ~/.rhosts' into a
>.logout file as well. 
>
>Since I use X on several machines at once, I have a script run at
>login time to rlogin to those few machines I always use. My .login on
>those remote machines copies a files into .rhosts. I also have a `log'
>command aliased to set an environment variable before logging out so I
>can log out but not have the .logout script kill the .rhosts file. 
>
So you type your password several times (ie one per machine) to 
gain access to all of the other machines??
If you are woried about wire security, then here you are sending your
unencrypted password across the network several times.  If you are only
woried about others faking host addresses, well, mabye.  But is it
really worth the added inconvinence?  I would not be suprised to find
scripts that "Do this automagically" from one or more people.

>Bill Wyatt, Smithsonian Astrophysical Observatory  (Cambridge, MA, USA)
>    UUCP :  {husc6,cmcl2,mit-eddie}!harvard!cfa!wyatt
> Internet:   wyatt at cfa.harvard.edu
>     SPAN:   cfa::wyatt                 BITNET: wyatt at cfa

milton

Milton D. Miller II
ECN student consultant, Purdue University