Hi to all. How do i give permission to rlogin to an account by everybody from any host. I tried "* *" and i didn't work Any suggestion? Thanks -- "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------
How do i give permission to rlogin to an account by everybody from any host. Don't do that. Don't do that. Don't do that. If you want password-less logins, use ssh and give the people you trust
On May 8, Joao Reis <joao.reis@2000comp.pt> wrote: the private key. The public key should be in ~/.ssh/authorized_keys then (on the server). Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
The purpose of given permission to everybody is because there is an account which is used by everybody in my company. This is a project account and my company only has 5 users. I dont see any security flaws in this case. If this account is screwed up them everybody will lose because their work are in this account. P.S: sorry about my english -- "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------
On Thursday 08 May 2003 17:28, Joao Reis wrote:
The purpose of given permission to everybody is because there is an account which is used by everybody in my company.
This is a project account and my company only has 5 users.
I dont see any security flaws in this case. If this account is screwed up them everybody will lose because their work are in this account.
Wouldn't it make more sense to set it up using some sort of group structure? Don't you want to be able to track who did what and when?
"Do or do not. There is no try" - Yoda
I take it Yoda never programmed in Java
Wouldn't it make more sense to set it up using some sort of group structure? Don't you want to be able to track who did what and when?
Each project is one account (because of enviroment purposes) and everybody works in that project, so everybody uses the same login. I want to remove the anoying password login in order to access the account.
"Do or do not. There is no try" - Yoda
I take it Yoda never programmed in Java
Ye :-) What is the necessary configuration in .rhost in order to aply the wished permissions ? :-) Thanks -- "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------
On Thu, May 08, 2003 at 04:59:09PM +0100, Joao Reis wrote:
What is the necessary configuration in .rhost in order to aply the wished permissions ? :-)
It used to be that "+ +" would allow any user from any host. But quite likely support for this has been disabled precisely to encourage people to look for other, more secure solutions. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Thu, 8 May 2003, Olaf Kirch wrote:
Date: Thu, 8 May 2003 19:39:51 +0200 From: Olaf Kirch <okir@suse.de> To: Joao Reis <joao.reis@2000comp.pt> Cc: Anders Johansson <andjoh@rydsbo.net>, suse-security@suse.com Subject: Re: [suse-security] .rhost everybody access
On Thu, May 08, 2003 at 04:59:09PM +0100, Joao Reis wrote:
What is the necessary configuration in .rhost in order to aply the wished permissions ? :-)
It used to be that "+ +" would allow any user from any host. But quite likely support for this has been disabled precisely to encourage people to look for other, more secure solutions.
To reenable that you will have to play with the options of the pam modules, have a look at /usr/share/doc/packages/pam/modules/README.pam_rhosts you will have to add the "promiscuous" flag in /etc/pam.d/rsh and /etc/pam.d/rlogin to pam_rhosts_auth.so. I would still recommend that you use ssh and I would discurage shared accounts as they tend to be an administrative nightmare. Best regards Hubba
First thing first: I can't answer your original question on how to configure rlogin to let anybody in. I dumped rlogin completely years ago. Sorry. But nevertheless, allow me some remarks: On Thu, 8 May 2003, Joao Reis wrote:
The purpose of given permission to everybody is because there is an account which is used by everybody in my company.
This is a project account and my company only has 5 users.
Then i still don't see why you don't simply set up some unix group for the project and create the project directories with write permission for the group. That's exactly what unix groups are invented for. If its for the common environment thing, well, just add a shell script that clears the current environment (if necessary) and sets up the common environment for the project. Tell your co-workers to source this script into their shell when starting to work on the project. Thats at least as comfortable as doing a rlogin. If you still want the common account, then i'd recommend to follow the proposal of Markus to distribute the private key to ssh to that account among the project members.
I dont see any security flaws in this case. If this account is screwed up them everybody will lose because their work are in this account.
Well maybe, if your box does not have any connection to the Internet, the risks may be limited. If your box is connected to the net, then i do see security flaws. Just name some of them: * The computer may be abused to send spam. * The computer may be abused to participate in DDOS attacks. This can become quite costly if you are sued for the damage. * Any locally exploitable security bug that permits a root compromise turns automatically in a remotely exploitable root compromise, which rises the impact of any bug quite much. -- Rolf Krahl <rolf.krahl@gmx.net>
Rolf Krahl wrote:
On Thu, 8 May 2003, Joao Reis wrote:
The purpose of given permission to everybody is because there is an account which is used by everybody in my company.
This is a project account and my company only has 5 users.
Then i still don't see why you don't simply set up some unix group for the project and create the project directories with write permission for the group. That's exactly what unix groups are invented for.
Don't forget to sgid the project directory, so that new subdirectories are also owned by <prj-group> and group-writeable.
If you still want the common account, then i'd recommend to follow the proposal of Markus to distribute the private key to ssh to that account among the project members.
Nope, the users need to import their id<something>.pub to "/home/<targetaccount>/.ssh/authorized_keys. A private key should be just that: Private. Peter
On Thu, May 08, 2003 at 04:06:45PM +0100, Joao Reis wrote:
How do i give permission to rlogin to an account by everybody from any host.
I tried "* *" and i didn't work
Any suggestion?
though I think this idea is BAD, and other replies are valid, I'd like to answer the original question. since you obviously only have a few users, you could list them explicitly. at least better than "@all @all" ... note that I think you should NOT do it this way. ~/.rhosts: box1.your.domain user1 box1.your.domain user2 box1.your.domain user3 box2.your.domain user1 box2.your.domain user2 box2.your.domain user3 or use @netgroups ... but then again, why should you do that. Lars
* Joao Reis wrote on Thu, May 08, 2003 at 16:06 +0100:
How do i give permission to rlogin to an account by everybody from any host.
Any suggestion?
As already said, simply don't do that. This is one of the cases where the question/requirement is wrong. To give everybody from any host to an account, set the empty password (maybe you must run passwd as root, since the users may not be allowed to disable security that much). Fortunality, I'm unable to test this, since I don't have any r*ish setups available at all :-)
"Do or do not. There is no try" - Yoda
[some other mail]
I take it Yoda never programmed in Java.
Yes, it seems clear that Yoda programs in C, which is not surprising for old-school people :-) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (9)
-
Anders Johansson -
Hubertus A. Haniel -
Joao Reis -
Lars Ellenberg -
Markus Gaugusch -
Olaf Kirch -
Peter Wiersig -
Rolf Krahl -
Steffen Dettmer