Re: Offering external services, rlogins, smtp etc: how does it work?

[Olaf Meeuwissen <olaf@epkowa.co.jp>]

Mark Phillips <mark@ist.flinders.edu.au> writes:

> Andrew Sullivan [sullivana@bpl.on.ca] wrote:
> 
> > Aaarrgh!  Not the dreaded r-services!  Don't allow them.  Shut them
> > off.  They are evil, and a great source of amusement to all
> > crackers.  Use ssh, or telnet, if you must (although that's just as
> > risky).

> Now you say to use ssh or telnet, but then say this is just as risky!
> Why not use rlogin if it is no more risky than the alternatives?

I think Andrew  was only referring to telnet.   It sends your password
in clear text over the net.

> The point is that I need to offer the functionality of rlogin.  When I
> am elsewhere and I want to do a remote login to my machine, then I
> need rlogin or some equivalent.  If rlogin is currently insecure, why
> don't people make it secure?  What makes it so hard?

I'm not sure, but think the main insecurity of rlogin (and sisters) is
that these send everything in clear text.  Depending on your situation
this may be a security risk.  Any known security holes should be fixed
in the deb.  Holes and risks are not quite the same, I guess.

If you need rlogin functionality, install ssh and slogin, scp or ssh
instead of rlogin, rcp and rsh.
-- 
Olaf Meeuwissen       Epson Kowa Corporation, Research and Development