/etc/hosts.equiv & .rhosts - Security

This is a discussion on /etc/hosts.equiv & .rhosts - Security ; Hi, can any one give an example for configuring .rhosts file so that i can allow some trusted computers in my LAN to access my ubuntu 8.04 machine via telnet,ssh without having to enter password BTW there is no /etc/hosts.equiv ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: /etc/hosts.equiv & .rhosts

  1. /etc/hosts.equiv & .rhosts

    Hi,

    can any one give an example for configuring .rhosts file so that
    i can allow some trusted computers in my LAN to access my ubuntu 8.04
    machine via telnet,ssh without having to enter password

    BTW there is no /etc/hosts.equiv file in my machine, so will i have to
    create it ...????

  2. Re: /etc/hosts.equiv & .rhosts

    aarklon@gmail.com wrote:
    > can any one give an example for configuring .rhosts file so that
    > i can allow some trusted computers in my LAN to access my ubuntu 8.04
    > machine via telnet,ssh without having to enter password


    man ssh-keygen
    man ssh-copy-id

    Toni
    --
    ---------------------------------------------------------------------------
    e9427514 (at) student.tuwien.ac.at

  3. Re: /etc/hosts.equiv & .rhosts

    On 12 Aug, 10:43, aark...@gmail.com wrote:
    > Hi,
    >
    > can any one give an example for configuring .rhosts file so that
    > i can allow some trusted computers in my LAN to access my ubuntu 8.04
    > machine via telnet,ssh without having to enter password
    >
    > BTW there is no /etc/hosts.equiv file in my machine, so will i have to
    > create it ...????


    No: this is comp.os.linux.**security**

    Disable telnet and use key pairs for SSH logins.

    C.

  4. Re: /etc/hosts.equiv & .rhosts

    C. wrote:
    > On 12 Aug, 10:43, aark...@gmail.com wrote:
    >> Hi,
    >>
    >> can any one give an example for configuring .rhosts file so that
    >> i can allow some trusted computers in my LAN to access my ubuntu 8.04
    >> machine via telnet,ssh without having to enter password
    >>
    >> BTW there is no /etc/hosts.equiv file in my machine, so will i have to
    >> create it ...????

    >
    > No: this is comp.os.linux.**security**
    >
    > Disable telnet and use key pairs for SSH logins.
    >
    > C.


    Use SSH, and learn to use the 'keychain' tool to manage SSH keys as needed. Or
    read up on Kerberized rsh and telnet, and use those.

  5. Re: /etc/hosts.equiv & .rhosts

    e9427514@student.tuwien.ac.at.invalid (Antonio Batovanja) writes:

    > aarklon@gmail.com wrote:
    >> can any one give an example for configuring .rhosts file so that
    >> i can allow some trusted computers in my LAN to access my ubuntu 8.04
    >> machine via telnet,ssh without having to enter password

    >
    > man ssh-keygen
    > man ssh-copy-id


    Telnet, and ssh are different things, and require different config
    files. Telnet, as far as I know, always requires a
    password. Passwordless commands/login without ssh would be with
    rlogin/rcp/rsh. Those use the .rhosts, hosts.allow, and hosts.equiv
    files. Some of the rlogin & friends packages I've tried did not work,
    and if you want to go this route, I'd say get GNU inetutils:
    ftp://ftp.gnu.org:/gnu/inetutils/inetutils-1.5.tar.gz

    Read in the info files there for setup. 'info rlogin' basically if you
    want to login at another host, that host needs the first host's name
    listed in /etc/hosts.equiv and .rhosts found in the user's home
    directory. The user can't be in /etc/nologin. It's been awhile since I
    set this up, so my details are sketchy; read the info files to be
    sure.

    Unless there's no other way, or special cases permit, better to use
    the Openssh suite, with ssh for rsh, scp for rcp, and slogin for
    rlogin. With those, best to allow key-only login so hackers can't
    brute force passwords. Also strongly consider not sticking the daemon
    on the port 22 as it WILL be messed with all day long. Generate ssh
    user keys on two machines using the ssh-keygen tool. These populate
    the ~/.ssh/ directory. On the machine you want to login in, take the
    PUBLIC key and send it to that host. cat id_rsa.pub >>
    ~/.ssh/authorized_keys and also with key id_dsa.pub, and also if
    desired identity.pub all into that authorized_keys file. Now when you
    login from your host, you will use your private key to the remote
    hosts's public key you just copied over.

    If you don't have daemon keys made, you need to make those first. They
    are the ssh_host_* keys in /etc/ssh/

    If your systems are multi-homed, set ListenAddress to the IP/interface
    you want it to listen on. The below is an internal machine, which I
    allow root keyed login on. External machines I do not allow any root
    login on.


    ## Secure Shell Server
    ## Configuration file
    ##
    ## This file specifies how the sshd daemon operates.
    ## $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
    Port 7000
    # Protocol 2 only
    Protocol 2
    ListenAddress 192.168.1.70
    #ListenAddress ::
    # HostKey for protocol version 1
    HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 1h
    ServerKeyBits 768
    # Logging. Obsoletes QuietMode
    # and FascistLogging
    SyslogFacility AUTH
    LogLevel INFO
    # Authentication:
    LoginGraceTime 2m
    PermitRootLogin yes
    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile .ssh/authorized_keys
    # For this to work you will also need
    # host keys in /etc/ssh/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    PermitEmptyPasswords no
    # Change to no to disable s/key passwords
    ChallengeResponseAuthentication yes
    AllowTcpForwarding yes
    GatewayPorts no
    X11Forwarding yes
    X11DisplayOffset 5
    X11UseLocalhost yes
    PrintMotd yes
    PrintLastLog yes
    TCPKeepAlive yes
    UseLogin no
    UsePrivilegeSeparation yes
    PermitUserEnvironment yes
    Compression yes
    ClientAliveInterval 0
    ClientAliveCountMax 3
    UseDNS yes
    PidFile /var/run/sshd.pid
    MaxStartups 3
    # Default system banner
    Banner /etc/issue.net
    # The sftp subsystem
    Subsystem sftp /usr/libexec/sftp-server
    # Specifically name who can use SSH
    AllowUsers user1 user2 user3 user4
    AllowGroups group1 group2 group3
    # And who never can. I've added some of those dumb
    # names people try, just to make sure that someone/thing
    # never uses those names at some time
    DenyUsers bin daemon adm sync shutdown halt mail news uucp operator games ftp fcron smmsp mysql rpc sshd nobody guest Guest GUEST test Test TEST nouser user owner admin administrator apache www wwwrun wine windows smb samba swat cybase httpd uucp UUCP pop sunrpc mailnull


    If you change ports like shown here, set which hosts need changed
    ports in the ssh_config file so you don't have to keep keying it in on
    the command line. Remove Protocol version 1 if you don't want that,
    but some machines may need it. This says when we login to
    'different.port.host.com', automatically look for the daemon at Port
    7000, and in the usual place for all the others.


    ## Any configuration value is only changed the first time it is set.
    ## Thus, host-specific definitions should be at the beginning of the
    ## configuration file, and defaults at the end.


    ## Specification for host different.port.host.com
    Host different.port.host.com
    ForwardAgent yes
    ForwardX11 yes
    RhostsRSAAuthentication no
    RSAAuthentication yes
    PasswordAuthentication no
    HostbasedAuthentication no
    BatchMode no
    CheckHostIP yes
    AddressFamily any
    ConnectTimeout 0
    StrictHostKeyChecking ask
    IdentityFile ~/.ssh/identity
    IdentityFile ~/.ssh/id_rsa
    IdentityFile ~/.ssh/id_dsa
    Port 7000
    Protocol 2,1
    Cipher 3des
    Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    EscapeChar ~

    ## Site-wide defaults for various options
    Host *
    ForwardAgent yes
    ForwardX11 yes
    EnableSSHKeysign yes
    RhostsRSAAuthentication no
    RSAAuthentication yes
    PasswordAuthentication no
    HostbasedAuthentication no
    BatchMode no
    CheckHostIP yes
    AddressFamily any
    ConnectTimeout 0
    StrictHostKeyChecking ask
    IdentityFile ~/.ssh/identity
    IdentityFile ~/.ssh/id_rsa
    IdentityFile ~/.ssh/id_dsa
    Port 22
    Protocol 2,1
    Cipher 3des
    Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    EscapeChar ~


    Read the manpages over, of course, as well. You *can* use
    telnet/rlogin and friends, just be aware that if an attacker is
    sitting in between you and your remote target with a sniffer, they
    will be collecting any password to any attack you attempt
    telnet/rlogin/etc with. Most times ssh is the better option. You can
    put your ssh keys on a small USB stick (FAT filesystem) that will work
    on all common PC's. MacOSX, Windows, and Linux all share the FAT
    filesystem.



    --
    Protect? [** America, The Police State **] Serve?
    http://www.hermes-press.com/police_state.htm
    http://www.theregister.co.uk/2008/01..._nsa_internal/
    http://www.privacyinternational.org/...D=x-347-559597
    http://www.homelandstupidity.us/2008...ir-passengers/
    http://www.presstv.ir/detail.aspx?id...tionid=3510203
    Teen Tazered 19 times: http://www.ky3.com/news/local/26158674.html
    Guns For TX Teachers: http://news.bbc.co.uk/1/hi/world/americas/7564654.stm
    Castration Punishment: http://www.foxnews.com/story/0,2933,348171,00.html

+ Reply to Thread