FC5 and rlogin/rsh/rcp - Redhat

This is a discussion on FC5 and rlogin/rsh/rcp - Redhat ; I'm upgrading from RH8 to FC5 and have installed "Servers/LeacyNetwork" because this explicitly includes rlogin, telnet, etc, but rlogind wasn't installed. Yes, I know they're not secure, but that's not a concern in my environment - I'm certainly not going ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: FC5 and rlogin/rsh/rcp

  1. FC5 and rlogin/rsh/rcp

    I'm upgrading from RH8 to FC5 and have installed "Servers/LeacyNetwork"
    because this explicitly includes rlogin, telnet, etc, but rlogind wasn't
    installed. Yes, I know they're not secure, but that's not a concern in my
    environment - I'm certainly not going to allow Linux on a workstation to
    dictate the login program used on the non-Linux servers and their
    applications on our isolated network. I say this to avoid wasting the time
    of security-crazed newsgroup posters - please don't bother. ;-)

    So I installed CD#5 Fedora/RPMS/rsh-server-0.17-34.1.i386.rpm and got the
    files that I wanted. However I then found that I was missing xinetd, so I
    installed CD#3 Fedora/RPMS/xinetd-2.3.13-6.2.1.i386.rpm. That was good,
    except that xinetd was not set up to run automatically on system boot. When
    I ran xinetd manually (having commented out the disable lines in
    /etc/xinetd.d/rlogin, etc), I was able to log in remotely. I wonder if this
    service is being made difficult to use on purpose or if I missed some
    relevant setting in the installation? Now I'll have to go and find an
    xinetd startup/shutdown script...

    For those who want to do this too and get stuck at this point I suspect that
    securetty sill needs set up (which I had already done):
    Create /etc/securetty with lines as follows:
    rsh
    rlogin
    pts/0
    pts/1
    and so on for each port that you intend to connect from, including tty0,
    tty1, etc

    Good luck - you might need it!
    Alternatively, prayer is infinitely more reliable than luck...



    -------------
    Get FREE newsgroup access from http://www.cheap56k.com


  2. Re: FC5 and rlogin/rsh/rcp

    "Jeffrey Ross" wrote in message
    news:1143779308.980559@hosting.ispresults.com

    > Yes, I know they're not
    > secure, but that's not a concern in my environment - I'm certainly
    > not going to allow Linux on a workstation to dictate the login
    > program used on the non-Linux servers and their applications on our
    > isolated network. I say this to avoid wasting the time of
    > security-crazed newsgroup posters - please don't bother. ;-)

    ....
    > I wonder if this service is being made difficult to use on
    > purpose or if I missed some relevant setting in the installation?


    rsh, rlogin and telnet are deprecated from a security point of view, for
    reasons that you obviously don't want to hear. Your "isolated network" is
    still a network with the same security concerns, wheter you're connected to
    the outside world or not.


  3. Re: FC5 and rlogin/rsh/rcp

    > rsh, rlogin and telnet are deprecated from a security point of view, for
    > reasons that you obviously don't want to hear.


    ....and ssh is so damn good (for a variety of reasons) that I'd use it
    anyway...

    Vic.


    --
    Posted via Mailgate.ORG Server - http://www.Mailgate.ORG

  4. Re: FC5 and rlogin/rsh/rcp

    On Fri, 31 Mar 2006 16:06:53 +1200, Jeffrey Ross wrote:

    > That was good, except that xinetd was not set up to run automatically on
    > system boot. When I ran xinetd manually (having commented out the
    > disable lines in /etc/xinetd.d/rlogin, etc), I was able to log in
    > remotely. I wonder if this service is being made difficult to use on
    > purpose or if I missed some relevant setting in the installation?


    I'm afraid you have.

    Xinetd isn't enabled upon installation because you need the
    opportunity to configure stuff like hosts.allow and hosts.deny before
    you open your server for business.

    The preferred method, instead of all that horrid editing, is to use
    the infrastructure already in place:

    # service xinetd start

    starts the service for *this* boot, and

    # chkconfig xinetd on

    will cause xinetd to start on the *next* boot.

    HTH

  5. Re: FC5 and rlogin/rsh/rcp

    On Fri, 31 Mar 2006 16:06:53 +1200, Jeffrey Ross wrote:

    > I'm upgrading from RH8 to FC5 and have installed "Servers/LeacyNetwork"
    > because this explicitly includes rlogin, telnet, etc, but rlogind wasn't
    > installed. Yes, I know they're not secure, but that's not a concern in my
    > environment - I'm certainly not going to allow Linux on a workstation to
    > dictate the login program used on the non-Linux servers and their
    > applications on our isolated network. I say this to avoid wasting the time
    > of security-crazed newsgroup posters - please don't bother. ;-)


    You're swimming against the tide, the legacy servers have all been
    replaced by ssh. SSH does everything the old rlogin, rexec, telnet, and
    rsh servers did and a lot more. It's installed by default on every Linux,
    BSD and Unix distribution and it's available for Windows (Cygwin is the
    easiest way to install it but there are stand alone versions for Windows
    also). SSH is very easy to use and to administer, I use the ssh module in
    webmin, http://www.webmin.com, to administer my ssh setups because the
    webmin module is so clear and easy to use.

    You can certainly go through the trouble of enabling the legacy servers on
    FC5 but you are going to have to set them up again on every new system and
    every time you do a clean install. With ssh it will always be there by
    default. In the long run you'll have to do a lot less work if you use ssh
    instead of sticking with the obsolete servers.

    Once you switch to SSH the advantages will become immediately clear. The
    most obvious advantage is that you can access any of your machines over
    the Internet just like they were on you LAN.



  6. Re: FC5 and rlogin/rsh/rcp

    On Fri, 31 Mar 2006, in the Usenet newsgroup linux.redhat, in article
    <1143779308.980559@hosting.ispresults.com>, Jeffrey Ross wrote:

    >I'm upgrading from RH8 to FC5 and have installed "Servers/LeacyNetwork"
    >because this explicitly includes rlogin, telnet, etc, but rlogind wasn't
    >installed. Yes, I know they're not secure, but that's not a concern in my
    >environment


    It may not be a concern in your environment, but it certainly is for the
    rest of us. The Berkeley 'r' command aren't even used at Berkeley any
    more.

    >I wonder if this service is being made difficult to use on purpose or if
    >I missed some relevant setting in the installation?


    I suspect it is being made difficult just for that reason. Look back to
    Red Hat 3.0.3, and you had sendmail wide open by default, formail all set
    to be used to relay spam... in those days, it was actually more common
    for spam to be coming from a r00ted Red Hat box than a windoze zombie. As
    a result, Red Hat started tightening up. There was a huge cry when the
    open relay function was disabled in RH 5.0, and even more cries about
    sendmail only listening on localhost starting in RH7.1. There is another
    operating system called OpenBSD that claims to have been never r00ted in
    the out-of-box configuration. The reason is quite simple - in the out-of-box
    mode, _NOTHING_ is running. If you want to run a service, you have to figure
    out how - there is no st00pid icon to click on to drop your pants.

    >Now I'll have to go and find an xinetd startup/shutdown script...


    In your second post, you talk of editing /etc/rc.2.d - not very many
    people use runlevel 2. I suspect you really mean runlevel 3 or 5.

    Old guy

  7. Re: FC5 and rlogin/rsh/rcp

    "General Schvantzkoph" wrote in message
    newsan.2006.03.31.18.35.10.272641@yahoo.com...
    > On Fri, 31 Mar 2006 16:06:53 +1200, Jeffrey Ross wrote:
    >
    > > I'm certainly not going to allow Linux on a workstation to
    > > dictate the login program used on the non-Linux servers and their
    > > applications on our isolated network. I say this to avoid wasting the

    time
    > > of security-crazed newsgroup posters - please don't bother. ;-)

    >
    > You're swimming against the tide, the legacy servers have all been
    > replaced by ssh. SSH does everything the old rlogin, rexec, telnet, and
    > rsh servers did and a lot more.


    Yes, that's true, and from my original post above I obviously know that
    already.

    > It's installed by default on every Linux,
    > BSD and Unix distribution


    That's ridiculous. ssh is NOT installed by default on the version of Unix
    that we happen to run on the several machines in our closed network. We are
    not going to be driven to change our application to match what happens to be
    the norm in the Linux world.
    If I had an electric fence and armed guards surrounding my house I probably
    wouldn't bother putting deadlocks on my internal doors. And if I happened
    to replace an internal door and all that was available was a door with a
    pre-fitted deadlock, I might well remove it (or at last I certainly wouldn't
    go fitting deadlocks throughout the rest of the house!). Same goes with
    putting ssh on all our machines.

    > You can certainly go through the trouble of enabling the legacy servers on
    > FC5 but you are going to have to set them up again on every new system and
    > every time you do a clean install. With ssh it will always be there by
    > default. In the long run you'll have to do a lot less work if you use ssh
    > instead of sticking with the obsolete servers.


    Yes, of course. And I spent a day customising my Linux set-up script so
    that it will handle FC5 as well. Pretty simple really. The alternative is
    to modify our mission critical application, which we could do, but it would
    take some development effort and a lot of system testing.

    > Once you switch to SSH the advantages will become immediately clear. The
    > most obvious advantage is that you can access any of your machines over
    > the Internet just like they were on you LAN.


    What ever would I want to put our closed network onto the Internet for?
    That would be asking for trouble!

    I thought that Linux advocates were pushing for freedom, but really you seem
    to want me to conform to your way of doing things, so I think you've missed
    the point. Let me have my freedom.



    -------------
    Get FREE newsgroup access from http://www.cheap56k.com


  8. Re: FC5 and rlogin/rsh/rcp


    > I thought that Linux advocates were pushing for freedom, but really you
    > seem to want me to conform to your way of doing things, so I think you've
    > missed the point. Let me have my freedom.


    I'm not talking about freedom or security, just convenience. I kept
    installing the legacy servers for a couple of years because I've been
    using them for 20 years. Eventually I realized that the legacy servers
    weren't doing anything that ssh wouldn't do and I stopped wasting my time
    enabling the legacy servers every time that I did a Linux install. On
    systems where ssh isn't the default you might have to add a couple of
    environment variables, I still have the following in my .cshrc although it
    isn't necessary anymore,

    setenv CVS_RSH ssh
    setenv RSYNC_RSH ssh

    If your Unix systems don't already have OpenSSH on them it should be
    trivial to install it.


  9. Re: FC5 and rlogin/rsh/rcp

    "Jeffrey Ross" wrote in message
    news:1144040209.847643@hosting.ispresults.com

    >> It's installed by default on every Linux,
    >> BSD and Unix distribution

    >
    > That's ridiculous. ssh is NOT installed by default on the version of
    > Unix that we happen to run on the several machines in our closed
    > network. We are not going to be driven to change our application to
    > match what happens to be the norm in the Linux world.
    > If I had an electric fence and armed guards surrounding my house I
    > probably wouldn't bother putting deadlocks on my internal doors. And
    > if I happened to replace an internal door and all that was available
    > was a door with a pre-fitted deadlock, I might well remove it (or at
    > last I certainly wouldn't go fitting deadlocks throughout the rest of
    > the house!). Same goes with putting ssh on all our machines.


    The point you should consider in the context of the analogy you present is
    that the armed guards can be the source of intrusion, much as that U.S.
    soldier that placed a couple grenades into the tent of others in a Kuwait
    staging area. Much of network security in a LAN is dealing with the rest of
    the LAN as well as the outside world. Re-working legacy applications to deal
    with ssh, scp et al. is an effort well worth the time that it may take.


+ Reply to Thread