Summary: How to enforce offical-host-name for rsh/rlogin -- Repost

From: Kerr Tung (ktung@sdt.com)
Date: Tue Oct 21 1997 - 10:46:38 CDT


Hi all,

Sorry that some of you cannot read the attached part of my email
(Novell GroupWise format). So I am reposting it for your reference.

My thanks go to David Thorburn-Gundlach<dtg@cae091.ed.ray.com> whos was the
only reply to my posting. He pointed the problem out for me and I fixed the
problem by defining "hosts: dns nis file" in my /etc/nsswitch.conf file. I
didn't have the dns entry before.

The original Q/A:

Kerr Tung wrote:
>
> Hi all,

Hi there!

>
> How do I make a host's official-host-name, i.e.
> abc.def.com be recognized by rsh/rlogin, not the
> nickname abc?

That FQDN must be the first thing that a name lookup will see.

>
> I checked the hostname abc with "nslookup abc" and
> "ypcat hosts |grep abc" and didn't find anything
> different for this host from the other hosts
> defined -- it is defined with both abc.def.com and

Which is first on the line, though?

> abc. However, when I use rsh/rlogin to this
> machine, only the nick name is accepted. I hate to
> add "abc" in the /etc/hosts.equiv or .rhosts to

Yeah; that's not such a good idea.

> just make it work, reasoning that may impose a
> bigger security hole than just having the official
> host name abc.def.com.

You didn't mention your OS, but you mentioned running under YP... If
you're running Solaris, it's fairly easy, though it will completely go
around your YP hosts map (so why bother keeping it up?); mind you, *all*
programs will see DNS first. Just modify /etc/nsswitch.conf to ensure
that "dns" comes before "nis" on the "hosts:" line.

You could also turn your YP hosts map inside out. You probably have
something like this at the moment:

111.222.333.444 abc abc.def.com

If you want rsh to recognize the remote machine as abc.def.com instead
of abc, you need to have your entries look like

111.222.333.444 abc.def.com abc

Both of these are because in.rshd/in.telnetd/etcetc all get an IP
address and have to see what host name *the*local*machine* thinks it is;
it make a call (probably gethostbyaddr, but I'm not enough of a
programmer to know) to its name service(s) to find out what the right
value is, and returns the FIRST thing it finds.

>
> How should I fix this? No flame for using .rhosts
> and hosts.equiv, please.

Hey; I'm with ya ;-)

>
> Thanks,
> Kerr

:-D

-- 
David Thorburn-Gundlach
dtg@cae091.ed.ray.com,david@bae.uga.edu
Raytheon  508/440-2016 or 508/440-2317



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:06 CDT