Home > Articles > Security > Software Security

Are You Still Using RSH?

By Russ Hunter
Jan 30, 2004

Article Contents

Page 1 of 4 Next >

Russ Hunter

Learn more…

Are You Still Using RSH?: Jan 30, 2004
Building a Linux Kernel: Dec 19, 2003
Burn It and Boot It: "Live CD" Linux: Nov 26, 2003
Security Scanning with Nessus: Aug 29, 2003

Sorry, this author hasn't posted any blogs.

Like this article? We recommend
Modern Cryptography: Theory and Practice

Running RSH is like leaving your house keys under the welcome mat. SSH offers the same convenience and functionality with far greater security, so why haven't you switched?

Why Not RSH?

RSH (including rcp and rlogin) has been around for a long time. When RSH first came onto the scene, it was an essential tool for UNIX users. By logging into just one system, a user could run commands on any server where he or she had an account and an .rhosts file. Files could be copied from server to server as easily as from directory to directory. With a well-configured RSH environment, a user could type his password first thing in the morning and never have to type it again as he used rlogin to jump from system to system.

"Tell us more, Grandpa!"

"Well, we had to walk six miles in the freezing rain just to get to a green screen terminal with Internet access. But we only typed our password once! It was a golden age, kids!"

So what went wrong? Well, in those days security wasn't a big issue. RSH is convenient, but it has some serious security shortcomings. Like Telnet and FTP, RSH traffic is passed as clear text. If you connect to a server via rlogin and su to the root account, you're sharing that root password with anyone who happens to be listening in on your traffic.

"But our network is strictly switched, and security is good. No one can penetrate our perimeter!"

That may be good enough to keep out the casual hacker, but what if someone discovers a new router exploit and gains access before a patch is released? If you're not practicing defense in depth, the best you can hope for is a red flag on your company's next security audit. The worst-case scenario is an intruder with a free pass to every UNIX server on your network. If this happened, would you want to tell your CIO that the breach could have been prevented?

Reasons Not To Change

Inertia is a powerful force in the IT realm. "If it ain't broke, don't fix it" is an all-too-common refrain when discussing production systems. Many organizations have been using RSH for years, and aren't comfortable with change. In addition to user complaints that ensue if rsh is taken away, automated processes may rely on rsh. If these processes are poorly documented (and at least some of them usually are), disabling RSH is sure to break production. This is a valid concern, but it shouldn't be an excuse to disregard the risks inherent in rsh. We'll deal with those production issues later on.

Page 1 of 4 Next >

Discussions

Make a New Comment

You must log in in order to post a comment.

Related Resources

OnNetworking (Audio + Video)

Recent Episodes

OnMicrosoft (Video + Audio)

Recent Episodes

See More Podcasts

Win FREE iPhone Developer Books and Videos- Introducing @InformIT Giveaways

By Jennifer Bortel on February 5, 2010 No Comments

Apples’s recent iPad announcement made our hearts flutter so we couldn’t resist making an announcement of our own!

Today marks the first ever @InformIT Giveaway!

We’ll regularly post a video like this one profiling spectacular prizes we’re giving away—from books and videos to T-shirts and other exciting stuff. Check out the video below to see the giveaways for today, and then scroll down for more prize details and instructions on how to win them!

"Every OSX developer should have this book on their desk.": By Dustin Sullivan on February 1, 2010 No Comments; That was the sentence Mike Riley ended his recent Dr Dobb's CodeTalk review of Cocoa Programming Developer's Handbook with.