rlogin URLs

Eric R. Holst eholst at rain.org
Tue Nov 21 23:53:02 EST 1995


On Mon, 20 Nov 1995, David Condon wrote:
> > 
> > What experience do people have with browsers supporting rlogin URLs.  I'm  
> > trying to link from our home page to a large number of terminal-based  
> > applications, and our resident security expert is uneasy that  
> > "telnet://user@host.domain.edu" presents a user with a login prompt.  If  
> > we could rely on browsers supporting it, he would rather see  
> > "rlogin://user@host.domain.edu" and remove one more opportunity for people  
> > to mess around.
> 
> rlogin is generally considered _ much more_ insecure than telnet, not less, 
> because of the .rhosts mechanism available to any user (on a "wide-open" 
> system) to specify other hosts which may login using that user's identity, 
> combined with the fact that hostnames can be spoofed, and the possibility of
> users creating or messing with an .rhosts file in another user's home
> directory. As for getting a login prompt, you get that anyway if you rlogin
> and then enter an incorrect password.

rlogin can be MUCH more usefull than telnet, and doesn't/shouldn't have to be
any more insecure.  As the original poster stated, rlogin is very usefull when
setting up links to library OPACs, or other public access type accounts,  where
you want to provide seamless access.

Yes, hostnames can be spoofed, but a good internet firewall, with properly
configured DNS reverse resolving _should_ prevent most spoofing attempts.
I'm not advocating the use of .rhosts (or hosts.equiv) for root or anything.

.rhost files should not have permissons such that users can edit each others.
In fact, .rhosts files should be owned by root w/ -r------- permissions.  If
a system needs to have .rhosts files for rlogin access, empty .rhosts files
could be installed in each users home directory.

rlogin can be a great way to provide seamless access between systems, and 
doesn't need to be the big security hole that it is often made out to be.
[rest deleted]

Eric
    /----------Eric R. Holst-----------------Microcomputer Specialist-----\
   |                Ventura County Library Services Agency                 |
   | eholst at rain.org  <insert standard disclaimer here>  C$erve 76527,162  |
    \---------------just slaving away in sunny Ventura, CA----------------/

> > Thomas Dowling
> > OhioLINK
> > 
> -- 
> David Condon, Librarian                   |        david at uci1.cwru.edu
> Cleveland Museum of Natural History       |
> 1 Wade Oval Drive, University Circle      |        +1 (216) 231-4600 ext.222 
> Cleveland, Ohio 44106-1767                |        Fax: +1 (216) 231-5919


More information about the Web4lib mailing list