IT Baseline Protection Manual - The Information Warfare Site
19.12.2012 Views
Share Embed Flag

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
iwar.org.uk

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Safeguard Catalogue - Communications Remarks<br />

____________________________________________________________________ .........................................<br />

S 5.20 Use of the security mechanisms of rlogin, rsh<br />

and rcp<br />

Initiation responsibility: <strong>IT</strong> Security Management, Administrators<br />

Implementation responsibility: Administrators<br />

With the rlogin program and/or the associated daemon rlogind it is possible to<br />

log in on another computer through a network connection; in that case,<br />

however, only the password will be requested since the user name will be<br />

passed on directly. With the commands rsh or rcp and the rshd daemon, it is<br />

possible to execute a command on another computer. Both commands use<br />

trusted hosts which are defined either user-specifically in the home directory<br />

$HOME/.rhosts file or system-wide in the /etc/hosts.equiv file. Any computer<br />

entered in one of these files will be considered trusted so that neither logging<br />

on (with rlogin) nor command execution (with rsh) require entry of a<br />

password.<br />

Since it is very easy, especially from a PC, to impersonate any computer<br />

name, steps must be taken to ensure that there are no $HOME/.rhosts and<br />

/etc/hosts.equiv files or that if there are, they are empty and cannot be<br />

accessed by ordinary users. To achieve this, users' home directories should be<br />

regularly checked, or it should not be possible to start up the daemons rlogind<br />

and rshd (for further information, see the /etc/inetd.conf file and safeguard S<br />

5.16 Survey of network services). If use of the /etc/hosts.equiv file cannot be<br />

avoided, steps must be taken to ensure that no "+" entry exists as that would<br />

result in every computer becoming a trusted one.<br />

Secure Shell (ssh) can be used as a substitute for the r services. It makes use<br />

of extensive functions designed to ensure secure authentication and to<br />

maintain confidentiality and integrity (see also S 5.64 Use of Secure Shell). If<br />

ssh is used, then if possible the r services should be disabled to ensure that the<br />

security safeguards cannot be circumvented. However, this presupposes that<br />

all communication partners have suitable implementations of ssh.<br />

____________________________________________________________________ .........................................<br />

<strong>IT</strong>-<strong>Baseline</strong> <strong>Protection</strong> <strong>Manual</strong>: Oktober 2000<br />

Do not use .rhost and<br />

hosts.equiv<br />

Use Secure Shell as a<br />

substitute

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!