The rlogin, rsh, and rcp programs are often referred to as the ``r'' commands, where ``r'' stands for remote. The rlogin program establishes a remote login session to a remote system, the rsh program connects to a remote system and executes a specified command, and the rcp program copies files between systems. Section 10.2.7 describes how to minimize impersonation attacks and how to provide as much security as possible when using the trusted hosts facility associated with the ``r'' commands.
The concept of ``trusted'' hosts makes use of these commands convenient. Each remote machine may have a file named /etc/hosts.equiv containing a list of trusted hostnames. Users with the same username on both the local and remote system may remotely login from the systems listed in the remote system's /etc/hosts.equiv file without supplying a password.
Trusted hosts pose a security threat because the host authentication mechanism can be defeated. In addition, the users on that host cannot alway be trusted. If a cracker manages to break into an account on a host, and that host is trusted by other systems, the user's accounts on all the other systems are compromised.
Individual users may set up a similar private equivalence list with the file .rhosts in their home directories. Each line in this file contains a hostname and a username separated by a space. An entry in a user's remote .rhosts file permits the user who is logged into the system specified by hostname to login to the remote system without supplying a password. Use of .rhosts files is a security threat because an administrator is unable to exclusively control access to the system via the ``r'' commands. Users are more likely to tailor their .rhosts files more for convenience than for security.
Trusted hosts involve a security risk for accounts which have an asterisk in the encrypted password field of the password file. Since the trusted hosts facility bypasses password checking, accounts that have login disabled could be accessed using ``r'' commands if either the hosts.equiv file or .rhosts file grant permission.
When using rlogin, if the name of the local host is not found in the /etc/hosts.equiv file on the remote system, and the local username and hostname are not found in the remote user's .rhosts file, then the remote system will prompt for a password. Prompting for a password is a threat because the password is sent unencrypted in a single packet over the network.
Trusted users on trusted hosts are allowed to execute rsh and rcp commands without requiring a password to be entered. The rsh program will not prompt for a password if access is denied on the remote system unless the command argument is omitted. If a command argument is not specified for rsh, rsh logs the user onto the remote system using rlogin. For users on hosts that are not trusted (i.e., neither listed in the /etc/hosts.equiv file nor the .rhosts file), rcp does not prompt for passwords.
Although the trusted hosts concept provides convenience for authorized users, systems not properly administered are vulnerable to unauthorized access. Systems whose /etc/hosts.equiv or /etc/hosts.lpd files contain a ``+'' are extremely vulnerable because the ``+'' entry means that the system trusts all other systems. Similarly, if any /.rhosts file contain a ``+ +'' entry, the system is vulnerable to access by non-trusted users on non-trusted systems. On Sun systems, the single entry ``+'' is contained in the default hosts.equiv file in the distribution, thus trusting all hosts. This is clearly a security problem.