>Date: Mon, 23 May 1994 16:21:58 -0400 >From: Rens Troost <rens@imsi.com> > >>>>>> On Mon, 23 May 1994 10:01:17 -0700, Karyn Pichnarczyk <karyn@cheetah.llnl.gov> said: > > karyn> Not sufficient. Does not keep people from logging in as a > karyn> user other than root. > >Also fairly time-consuming on a network with several thousands of >them...smit was built by mainframers. > >-Rens Actually you don't have to run smit, just do a : chuser rlogin='false' root Of course this is no substitute for the IBM emergency patch which should be installed as well. I do recommend removing the ability to rlogin to a root account. There is no valid reason for root to be able to rlogin (well there might be a few but they are not as powerful as the arguments against). /bin/su is the preferred method of becoming root and you can still telnet in and login on the console as root (I would encourage you to turn off the ability to telnet in and login as root as well, but...). B.T.W. For those people who may have many (tens or hundreds of RS6ks I've appended a shell script which automates the disabling of root rlogin capability and the installation of the IBM AIX emergency patch (no express warranties or liability, your mileage may vary). Appended is the shell script based on the official CERT announcement on the AIX RS/6000 security hole plus another precaution (disables rlogin to root). If you want it to install IBM emergency patch you must ftp ftp://software.watson.ibm.com:/pub/rlogin/rlogin.tar.Z and uncompress and untar it ( zcat rlogin.tar.Z | tar xvpf - ) somewhere. Then set the following variables for this shell script: AIX_VERSION AIX_PATCH_DIR This script does the following: 1. As root, disables being able to rlogin to root chuser rlogin='false' root 2. Disables the remote login rlogin service in /etc/inetd.conf, then do 'inetimp' and 'refresh -s inetd' 3. Installs the IBM emergency patch. 4. Enable the remote login rlogin service in /etc/inetd.conf, then do 'inetimp' and 'refresh -s inetd' 5. Test. - Morrow #!/bin/sh # # H. Morrow Long, Yale CSCF # # Version "tsm-3.2.0". AIX_VERSION="tsm-3.2.0" # # Patch path directory /cs/local/src/AIX/rlogin/ AIX_PATCH_DIR="/cs/local/src/AIX/rlogin" AIX_TSM_PATCH="$AIX_PATCH_DIR/$AIX_VERSION" # Root should NOT be allowed to rlogin as user ROOT anyway! DISABLE root rlogin # chuser rlogin='false' root # # # 1. As root, edit /etc/inetd.conf # Comment out the line 'login ... rlogin' sed 's/^login/# login/' /etc/inetd.conf > /tmp/inetd.conf.NEW cp -p /etc/inetd.conf /etc/inetd.conf.BACKUP cp /tmp/inetd.conf.NEW /etc/inetd.conf # 2. Run 'inetimp' inetimp # 3. Run 'refresh -s inetd' refresh -s inetd # # # # APAR IX44254 -- rlogin security hole # # This document describes how to apply the emergency patch for APAR # IX44254. This emergency patch is not the permanent solution to this # problem, it merely provides a means to restore rlogin functionality # in a more secure manner. # # Begin by identifying the correct level for your system. The command # "oslevel" may be used for this purpose on AIX v3.2 systems. For AIX # v3.1 systems you must know the last maintenance level which was # applied. # # If the "oslevel" command returns "oslevel: not found" or a similar # message from the shell, you must use "tsm-3.2.0". # # If the "oslevel" command returns "<3240" or "<>3240", you must use # "tsm-3.2.0". # # If the "oslevel" command returns "=3240", ">3240", "<3250" or "<>3250", # you must use "tsm-3.2.4". # # If the "oslevel" command returns "=3250" or ">3250", you must use # "tsm-3.2.5". # # # Once you have determined the correct version, execute the following # steps. # # 1). "cd /usr/sbin" cd /usr/sbin # 2). If the file "tsm.ix44254" does not exist, execute "mv tsm tsm.ix44254" mv tsm tsm.ix44254 # 3). "cp <version> tsm" where "<version>" was figured out above. # "tsm-3.2.0". # cp /cs/local/src/AIX/rlogin/tsm-3.2.0 ./tsm cp "${AIX_TSM_PATCH}" ./tsm # 3). "rm -f login getty" rm -f login getty # 4). "chown root.security tsm" chown root.security tsm # 5). "chmod 4554 tsm" chmod 4554 tsm # 6). "ln tsm login" ln tsm login # 7). "ln tsm getty" ln tsm getty # 8). "chmod a-x tsm.ix44254" chmod a-x tsm.ix44254 # cp -p /etc/inetd.conf.BACKUP /etc/inetd.conf # 2. Run 'inetimp' inetimp # 3. Run 'refresh -s inetd' refresh -s inetd # # # You may verify that the new login command is working correctly with the # command # # rlogin localhost rlogin localhost # -------------------end of file --------------------