/etc/hosts.equiv & .rhosts

This is a discussion on /etc/hosts.equiv & .rhosts within the Security forums, part of the Help category; Hi, can any one give an example for configuring .rhosts file so that i can allow some trusted computers in my LAN to access my ubuntu 8.04 machine via telnet,ssh ...
Go Back   Unix Linux Forum > Unix > Linux > Help > Security
/etc/hosts.equiv & .rhosts /etc/hosts.equiv & .rhosts

FixUnix.com - Unix Linux Forums

 Unix Content Register FAQ Calendar Search Today's Posts Mark Forums Read
Reply

 

Thread Tools
  #1  
Old 08-12-2008, 05:43 AM
Default /etc/hosts.equiv & .rhosts
Hi,

can any one give an example for configuring .rhosts file so that
i can allow some trusted computers in my LAN to access my ubuntu 8.04
machine via telnet,ssh without having to enter password

BTW there is no /etc/hosts.equiv file in my machine, so will i have to
create it ...????
Reply With Quote
  #2  
Old 08-12-2008, 09:58 AM
Default Re: /etc/hosts.equiv & .rhosts
aarklon@gmail.com wrote:
> can any one give an example for configuring .rhosts file so that
> i can allow some trusted computers in my LAN to access my ubuntu 8.04
> machine via telnet,ssh without having to enter password

man ssh-keygen
man ssh-copy-id

Toni
--
---------------------------------------------------------------------------
e9427514 (at) student.tuwien.ac.at
Reply With Quote
  #3  
Old 08-19-2008, 07:29 AM
Default Re: /etc/hosts.equiv & .rhosts
On 12 Aug, 10:43, aark...@gmail.com wrote:
> Hi,
>
> can any one give an example for configuring .rhosts file so that
> i can allow some trusted computers in my LAN to access my ubuntu 8.04
> machine via telnet,ssh without having to enter password
>
> BTW there is no /etc/hosts.equiv file in my machine, so will i have to
> create it ...????

No: this is comp.os.linux.**security**

Disable telnet and use key pairs for SSH logins.

C.
Reply With Quote
  #4  
Old 08-22-2008, 06:29 PM
Default Re: /etc/hosts.equiv & .rhosts
C. wrote:
> On 12 Aug, 10:43, aark...@gmail.com wrote:
>> Hi,
>>
>> can any one give an example for configuring .rhosts file so that
>> i can allow some trusted computers in my LAN to access my ubuntu 8.04
>> machine via telnet,ssh without having to enter password
>>
>> BTW there is no /etc/hosts.equiv file in my machine, so will i have to
>> create it ...????
>
> No: this is comp.os.linux.**security**
>
> Disable telnet and use key pairs for SSH logins.
>
> C.

Use SSH, and learn to use the 'keychain' tool to manage SSH keys as needed. Or
read up on Kerberized rsh and telnet, and use those.
Reply With Quote
  #5  
Old 08-24-2008, 04:02 PM
Default Re: /etc/hosts.equiv & .rhosts
e9427514@student.tuwien.ac.at.invalid (Antonio Batovanja) writes:

> aarklon@gmail.com wrote:
>> can any one give an example for configuring .rhosts file so that
>> i can allow some trusted computers in my LAN to access my ubuntu 8.04
>> machine via telnet,ssh without having to enter password
>
> man ssh-keygen
> man ssh-copy-id

Telnet, and ssh are different things, and require different config
files. Telnet, as far as I know, always requires a
password. Passwordless commands/login without ssh would be with
rlogin/rcp/rsh. Those use the .rhosts, hosts.allow, and hosts.equiv
files. Some of the rlogin & friends packages I've tried did not work,
and if you want to go this route, I'd say get GNU inetutils:
ftp://ftp.gnu.org:/gnu/inetutils/inetutils-1.5.tar.gz

Read in the info files there for setup. 'info rlogin' basically if you
want to login at another host, that host needs the first host's name
listed in /etc/hosts.equiv and .rhosts found in the user's home
directory. The user can't be in /etc/nologin. It's been awhile since I
set this up, so my details are sketchy; read the info files to be
sure.

Unless there's no other way, or special cases permit, better to use
the Openssh suite, with ssh for rsh, scp for rcp, and slogin for
rlogin. With those, best to allow key-only login so hackers can't
brute force passwords. Also strongly consider not sticking the daemon
on the port 22 as it WILL be messed with all day long. Generate ssh
user keys on two machines using the ssh-keygen tool. These populate
the ~/.ssh/ directory. On the machine you want to login in, take the
PUBLIC key and send it to that host. cat id_rsa.pub >>
~/.ssh/authorized_keys and also with key id_dsa.pub, and also if
desired identity.pub all into that authorized_keys file. Now when you
login from your host, you will use your private key to the remote
hosts's public key you just copied over.

If you don't have daemon keys made, you need to make those first. They
are the ssh_host_* keys in /etc/ssh/

If your systems are multi-homed, set ListenAddress to the IP/interface
you want it to listen on. The below is an internal machine, which I
allow root keyed login on. External machines I do not allow any root
login on.


## Secure Shell Server
## Configuration file
##
## This file specifies how the sshd daemon operates.
## $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
Port 7000
# Protocol 2 only
Protocol 2
ListenAddress 192.168.1.70
#ListenAddress ::
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 768
# Logging. Obsoletes QuietMode
# and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 2m
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need
# host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 5
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment yes
Compression yes
ClientAliveInterval 0
ClientAliveCountMax 3
UseDNS yes
PidFile /var/run/sshd.pid
MaxStartups 3
# Default system banner
Banner /etc/issue.net
# The sftp subsystem
Subsystem sftp /usr/libexec/sftp-server
# Specifically name who can use SSH
AllowUsers user1 user2 user3 user4
AllowGroups group1 group2 group3
# And who never can. I've added some of those dumb
# names people try, just to make sure that someone/thing
# never uses those names at some time
DenyUsers bin daemon adm sync shutdown halt mail news uucp operator games ftp fcron smmsp mysql rpc sshd nobody guest Guest GUEST test Test TEST nouser user owner admin administrator apache www wwwrun wine windows smb samba swat cybase httpd uucp UUCP pop sunrpc mailnull


If you change ports like shown here, set which hosts need changed
ports in the ssh_config file so you don't have to keep keying it in on
the command line. Remove Protocol version 1 if you don't want that,
but some machines may need it. This says when we login to
'different.port.host.com', automatically look for the daemon at Port
7000, and in the usual place for all the others.


## Any configuration value is only changed the first time it is set.
## Thus, host-specific definitions should be at the beginning of the
## configuration file, and defaults at the end.


## Specification for host different.port.host.com
Host different.port.host.com
ForwardAgent yes
ForwardX11 yes
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
HostbasedAuthentication no
BatchMode no
CheckHostIP yes
AddressFamily any
ConnectTimeout 0
StrictHostKeyChecking ask
IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
Port 7000
Protocol 2,1
Cipher 3des
Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
EscapeChar ~

## Site-wide defaults for various options
Host *
ForwardAgent yes
ForwardX11 yes
EnableSSHKeysign yes
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
HostbasedAuthentication no
BatchMode no
CheckHostIP yes
AddressFamily any
ConnectTimeout 0
StrictHostKeyChecking ask
IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
Port 22
Protocol 2,1
Cipher 3des
Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
EscapeChar ~


Read the manpages over, of course, as well. You *can* use
telnet/rlogin and friends, just be aware that if an attacker is
sitting in between you and your remote target with a sniffer, they
will be collecting any password to any attack you attempt
telnet/rlogin/etc with. Most times ssh is the better option. You can
put your ssh keys on a small USB stick (FAT filesystem) that will work
on all common PC's. MacOSX, Windows, and Linux all share the FAT
filesystem.



--
Protect? [** America, The Police State **] Serve?
http://www.hermes-press.com/police_state.htm
http://www.theregister.co.uk/2008/01..._nsa_internal/
http://www.privacyinternational.org/...D=x-347-559597
http://www.homelandstupidity.us/2008...ir-passengers/
http://www.presstv.ir/detail.aspx?id...tionid=3510203
Teen Tazered 19 times: http://www.ky3.com/news/local/26158674.html
Guns For TX Teachers: http://news.bbc.co.uk/1/hi/world/americas/7564654.stm
Castration Punishment: http://www.foxnews.com/story/0,2933,348171,00.html
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools


All times are GMT -5. The time now is 12:30 PM.

Contact Us - Linux Forum - Archive - Top
In an effort to better serve ads to our visitors, cookies are used on Fixunix.com. For more information, check out our Privacy Policy.

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.2.0
Ad Management by RedTyger