Quoting Lord of flying horned octopi: > > If rlogind was so easily spoofed, why not just use your own machine, i.e. > one you have root access on, to spoof someone elses rlogind? For the root user rlogind does not scan /etc/hosts.equiv. It only looks into /.rhosts when you try to access the root account. You would have to spoof DNS! Only a brain-dead sys-admin would ever put any other machines but those in his own domain to any /etc/hosts.equiv. Those are the only machines over which (s)he has unlimited control and can make any assumptions about their reliability. (Neither would I ever rely any other DNS server but the ones I am administering myself to give me correct information about my domain.) To the users' personal ~/.rhosts then... Because many normal users tend to keep a lot of unreliable machines in their own ~/.rhosts some admins turn off the checking of the personal .rhosts files. Even though such an entry does not compromise directly more than the single user's account it could be used as the first access point to a machine to allow further cracking. On the whole rlogind is not more easily fooled than is the person administering the machine on which rlogind runs. For more security one could always compile one's own rlogind (and rshd) and make sure the ip-source-route option is not set when a connection is opened. One could use tcpd to force the same effect. As a general reply to the discussion about the inetd ... Because inetd really can start non-root programs with sockets bound to ports below 512 you should remember these ports are reserved for IANA to assign. Ports from 512 to 1023 were originally reserved for UNIX services like rlogind (login), rshd (shell), rexecd (exec) and are in fact also IANA's domain but these can be temporarily assigned by local sys-admins too on as needed basis. On the whole there is no other real advantage making a server to run on a controlled (1023 or below) port but to know a normal user usually cannot steal a well known port for some other purpose thus making a well known service unavailable on the particular machine. (This only goes as far as your machine is a multiuser host that makes a difference between normal and controlled ports.) Relying on a attempted connection coming from a port with number 1023 or below makes sense only as far as you can rely on the remote peer to enforce the policy that only root can allocate a controlled port, and know the root on that particular machine has no malicious interest towards our machine. (Generally this means that the peer machines have the same admins.) If the irc community wants to gain a "well known service" status for irc/ircd, please, do so by negotiating with IANA. Cheers, // jau ------ / Jukka A. Ukkonen, M.Sc. (tech.) Centre for Scientific Computing /__ Internet: ukkonen@csc.fi Tel: (Home) +358-0-578628 / Internet: jau@cs.tut.fi (Work) +358-0-4573208 v X.400: c=fi, admd=fumail, no prmd, org=csc, pn=jukka.ukkonen