Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

ajt (2546)

ajt
  (email not shown publicly)
http://www.iredale.net/

UK based. Perl, XML/HTTP, SAP, Debian hacker.

  • CPAN: ATRICKETT [cpan.org]
  • PerlMonks: ajt [perlmonks.org]
  • Local LUG: AdamTrickett [lug.org.uk]
  • Debian Administration: ajt [debian-adm...ration.org]
  • LinkedIn: drajt [linkedin.com]

Journal of ajt (2546)

Wednesday June 15, 2005
03:13 PM

rlogin -l root

[ #25217 ]

We have a senior SAP/AIX consultant at work who thinks rlogin -l root is perfectly sound. He also allows any x-client to connect to a running xserver, and happily rcp files around the site. Any attempt to get him to use SSH is greeted with considerable resistance.

Is it just me or does it give you the shivers too?

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Download and install Ettercap [sourceforge.net]. Leave it running in plain sight. Next time he uses the rlogin protocol, show how ettercap displays his password in the clear.

    I think that'll prove the point.

    --
    • Randal L. Schwartz
    • Stonehenge
    • Yeah, or dsniff [monkey.org], which was developed exactly for this purpose: to convince a University’s admins that there’s a real reason to mandate SSH and retire the r* tools.
    • I've told him that telnet as root is a really bad idea, I nearly fell out of my chair when I realised he was r* as root, and wanting to use NFS with root enabled. When ever I complain, he says we are behind a firewall and all the SSH stuff is just rubish from Linux - which isn't real Unix anyway....

      The real problem is a culture clash. He thinks Linux is a toy, and that SSH/sudo are pains. To him only AIX/Solaris are "real" solutions, and that plain telnet/r tools/wide open X are all you need. To me I use

      --
      -- "It's not magic, it's work..."
      • Ask him how much he is willing to bet that noone will ever break that firewall. Ask him how much he is willing to bet that no user will ever be tempted to sniff for passwords.

        Also, both sudo and SSH originate in BSD.

        sudo in particular is really, really old (from 1980 – far older than the Linux kernel, older even than the GNU project).

        Solaris ships with both.

        • Our firewall has Windows notebooks connecting through it via VPN. Personally I consider it to be meaningless, given that remote notebooks cannot be trusted. I believe the firewall even runs on a Windows server, though I could be wrong, so I don't trust in in that respect either.

          I know SSH comes from OpenBSD, but to him it's somehow "tainted goods" now it's used on Linux. I didn't know that sudo was that old, but he claims it doesn't work properly on AIX 4.x, so he never uses it.

          I suppose it mostly as ca

          --
          -- "It's not magic, it's work..."
          • Actually the userspace still differs vastly on the very lowest level (init, the toolbox, and stuff like that). For anything above the bare metal you’re right, though.

            Uhm, the setup running in your place sounds like a disaster waiting to happen. If I was in your shoes, assuming you have any responsibility for any of the systems, I’d be looking for ways to CYA.

            • I've made my concerns known...

              --
              -- "It's not magic, it's work..."
            • Categorising this as a "disaster waiting to happen" reminds me of a discussion I had recently in the comments on a friend's Live Journal [livejournal.com] - IT people seem to be not very good at evaluating risk.

              The security (or lack thereof) at ajt's employer doesn't sound any different to what it was two years ago when I started work there (I have since moved on). There were no major incidents in the year I was there and I think it unlikely that there have been since.

              • “I never fasten my seat belt.” “That’s a disaster waiting to happen.” “You are not very good at evaluating risk. I’ve never been in an accident.”

      • I'm sure I remember your lovely employer having a policy on password use. I'm quite certain that you can find something suitable in there to bash him over the head with.
  • Hello atj, i had a boss like that,, and in that time i used facts like: Sans Institute [sans.org]
    rlogin is listed in this report since it's born :)

    " Remember Star Trek's transporter mechanism? "Beam me up, Scotty" allowed Jim Kirk, Spock, and their friends to be transported from one place to another instantaneously. Well, that is science fiction, but it is an analogy that is useful in describing how computer systems vulnerabilities are exploited. by Larry Rogers"

    Now as you can see,, there are many people makin