Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Mon, 22 Jan 2001 20:59:42 +0200
Message-Id: <200101221859.UAA28217@linux.>
From: "Ehud Karni" <ehud AT unix DOT simonwiesel DOT co DOT il>
To: "Keith Starsmeare" <keith_starsmeare AT yahoo DOT co DOT uk>,
        " Jason Tishler" <Jason DOT Tishler AT dothill DOT com>
Subject: Re: rsh -l doesn't require a password
CC: cygwin AT cygwin DOT com
In-reply-to: <20010122093647.A343@dothill.com> (message from Jason Tishler on
	Mon, 22 Jan 2001 09:36:47 -0500)
Organization: Simon & Wiesel Insurance agency
Reply-to: ehud AT unix DOT simonwiesel DOT co DOT il
References: <Pine DOT CYG DOT 4 DOT 31 DOT 0101221409310 DOT 316-100000 AT kampala DOT analog DOT com> <20010122093647 DOT A343 AT dothill DOT com>
X-Mailer: Emacs 20.7.1 rmail (send-msg 1.104)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-8
Content-Transfer-Encoding: 7bit

On Mon, 22 Jan 2001 09:36:47 -0500,
Jason Tishler <Jason DOT Tishler AT dothill DOT com> wrote:
> 
> On Mon, Jan 22, 2001 at 02:12:01PM +0000, Keith Starsmeare wrote:
> > I can access my NT box via rsh remotely without giving a password
> > if I use the -l option to specify a valid user account:
> > 
> >   % rsh -l kstarsm kampala id
> > 
> > As I haven't set up the hosts.equiv or .rhosts files I would hope
> > to see:        Permission denied.
> 
> Since Cygwin's mkpasswd creates an empty pw_passwd field, ....
> any user is allowed rsh access.
> 
> I "fixed" the problem by inserting asterisks into the pw_passwd
> fields in my /etc/passwd file.  For example:
> 
>     jt:*:1004:513:Jason Tishler,S-1...
>        ^
>        +--- here

This is normal UNIX behavior, on any UNIX system I know. `rsh' or
`rlogin' does not provide more security than `telnet', and since you
can login to any account without password just by knowing the user
name, so you can `rsh' or `rlogin' (On the other hand FTP does not
work on accounts without password).

The asterisk or any non possible encrypted passwd string (any string   
that is not exactly 13 characters long or has character other then
. / 0-9 a-z A-Z, e.g "XXXXXX", "2001-01-20-HH") has its own problems.
The user can not login with user name and password (no password will
fit !). The user can login through `rlogin' (when the proper ~/.rhosts
or /etc/host.equive exists) or `ssh' (using RSA or DSA authentication)
or s/he can use the `su' command from root (which I'm not sure works
on Windows).

The proper way is to set the password using the `passwd' command
(which the Cygwin developers has ported).

This illustrate one of the Cygwin problem: even people who work on
UNIX for many years but lack administrator knowledge fall prey to
simple mistakes/omissions which are not mentioned explicitly on the
README (sometimes not even on the man pages).   

I did not fall into this trap because I copied my /etc/passwd from
the Linux. On the other hand my extra services which I had in
/etc/services did not work until I added them into the windows
services file (the same is true for /etc/hosts of course).

Ehud.


-- 
 @@@@@@ @@@ @@@@@@ @    @   Ehud Karni  Simon & Wiesel  Insurance agency
     @    @      @  @@  @   Tel: +972-3-6212-757    Fax: +972-3-6292-544
     @    @ @    @ @  @@    (USA)  Fax  and  voice  mail:  1-815-5509341
     @    @ @    @ @    @        Better     Safe     Than     Sorry
 http://www.simonwiesel.co.il    mailto:ehud AT unix DOT simonwiesel DOT co DOT il

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple