Tutorial - Remote Login on the Internet

Remote Login on the Internet

CAN 1999-0651

Impact

If configured to trust all remote hosts, the remote login service could allow any remote user to gain shell access to a target system without ever being prompted for a password.

Background

The rlogin service allows remote users, using an rlogin client, to log on to an rlogin server without the need for a password. The rlogin process is similar to telnet, in that it gives users shell access to a remote computer. But, unlike telnet, rlogin does not prompt the user for a username (although, in most cases, the user is prompted for a password). The rlogin process uses the .rhosts file to list trusted hosts (those machines allowed to use the service). If the .rhosts file is not configured properly, it is possible for a hacker to gain access to a target machine, via the rlogin process, without being prompted for a password.

The Problem

This service, if misconfigured, allows unauthorized, untrusted users to gain shell access to a target machine without being prompted for a password. In other words, hackers exploiting this vulnerability can gain access to a target machine as a trusted user and then delete system files, change configuration files and generally wreak havoc on the target machine. Another problem with this service is that even when passwords are prompted for, they are transmitted plaintext and in the clear (in other words, they are sent to and from the machine unencrypted), so that any hacker using a password sniffer program can "grab" them and then access the target system as a trusted user.

Resolution

One fix for this vulnerability is to disable login in /etc/inetd.conf. If that is not practical, be sure that /etc/hosts.equiv and users' .rhosts files contain only trusted hosts, and contain no "+" characters. The risks of password sniffing may be minimized by using an encrypted version, such as Kerberos. Or, you may use TCP wrappers to help secure your network.

Where can I read more about this?

Search your system's man pages for information on the rlogind or in.rlogind service for more information.