April 10, 2011, 6:19 p.m.
posted by newmy
The r-tools are probably the most insecure utilities you can run on a Unix system. They use basic "rhosts" Unix authentication, which is based on trusting usernames and hostnames. Probably one of the biggest problems with this authentication mode is that users can configure their accounts so that they can log into their accounts from anywhere without entering a password.
The bottom line is that you should never run any of the r-tools services. The r-tools are ugly, dangerous, and obsolete. If you're a system administrator, avoid them like the plague. Turn them off for every system and remove them. If you're a hacker, r-tools can make your job a whole lot less challenging.
As an administrator, you should instead use SSH, which uses better authentication and encrypts its traffic. But that doesn't mean that other system administrators won't still be running r-tools.
Similar to telnet, rlogin runs over TCP port 513 (where the rshd process is listening) and establishes a remote shell on the system. Rsh does the same thing except it executes a specified command on the remote host, returns the output of that command, and exits immediately. Rcp will copy a file to or from the remote host.
Here are some example command lines.
rlogin -l myusername myhost rsh -l myusername myhost "ls --al" rcp [email protected]:/path/to/remotefile localfile
By creating a file called .rhosts in the home directory, the user can make a list of user/host combinations that are "trusted" by this account. You do this by specifying lines like hostname [username], to indicate that user username from host hostname can use the r-tools to connect without using a password. The laziest of users will simply put ++ in their .rhosts file, allowing any user from any host to log into the account (+ is the wildcard character). Even if the security isn't that lax, the user may have a line that says + myusername, which would allow someone logged in as myusername on any other machine on the planet to log into the machine without a password.
Someone could create an account on his local box called myusername, fire up his rlogin, and off he'd go. You can see the security issues here! By giving individual users the ability to poke such gaping holes in the security of the system, the r-tools quickly offset the amount of convenience they provide. System administrators can do the same thing, using the global rhosts file hosts.equiv to set up global system r-tool "trusted" hosts and users.
More recent versions of r-tools actually support Kerberos authentication and attempt to use that before falling back on rhosts authentication. Additionally, they can perform Data Encryption Standard (DES) encryption of data if both sides of the connection support it.
The rwho program communicates with a separate program (rwhod, running on UDP 513). The rwho client attempts to talk to all rwhod machines listening on the local subnet to determine what users are logged into each one. Like finger, this is a lot of information, allowing a hacker who infiltrates a network to get a whole slew of valid usernames on hosts. And chances are, if they're running rwho, they're running some of the other r-tools, so hackers might find themselves able to rlogin all over the place without using passwords.
This program talks to the rexecd program running on TCP 512. It is nearly identical to rsh in functionality. It uses this format:
rexec username@host_name command
Passwords can be specified on the command line with -p (which is a horrible idea, considering it can get stored in your shell history). If no user credentials are provided, rexec tries to use entries in the ~/.netrc file to log into the system