is rlogin secure?

Jim Cheetham jim at egressive.com
Fri Apr 15 03:28:01 UTC 2005 

On Thu, 2005-04-14 at 06:54 -0400, IvoE wrote:
> I just installed a test machine with Ubuntu to use within our company
> network. We are using rlogin, rsh etc to do some remote work on other
> machine's in the same network. Please try to explain why I should use
> ssh instead of rlogin at a safe inhouse network.

You know that I can't resist that :-)

The simple answer relates to the trust of the other machines and users
on your LAN. Reading your later posts, I see that you "officially" have
complete trust in your network. In that case, you are completely correct
- using ssh instead of rsh introduces the overhead of encryption that
you don't need.

However, I presume that your LAN is connected to the Internet in some
manner. Network security philosophy for a number of years has been
"build a strong firewall, then we don't need security internally". This
is a decent response when the cost of securing the internal machines is
too high (i.e. perhaps they run Windows, and are therefore inherently
un-secureable in most cases).

However, if there is a penetration at your firewall or external
interface, you are completely sunk - your internal network becomes
untrustworthy, because now you have the possibility of software running
in there that was not introduced by your trustworthy users.

Like all things related to security, you should be comparing the cost of
addressing this problem, with the cost of the damage, and the likelihood
of it occurring.

The "ssh not rsh" policy is generally a good one, because the overhead
of encryption is not very high in most circumstances.

> I haven't been able to find a solution yet, but I really want to use
> the 'normal' rsh tools instead of the secure ones. I hope someone can
> help me out and tell me how to get it working, instead of asking me why
> I 'insist to use rlogin'.

The rsh-client 0.17-13 package from universe provides rsh, rcp and
rlogin, although the binaries are prefixed with "netkit-"

openssh-client from main conflicts with rsh-client (<< 0.16.1-1), so at
current hoary levels, you should be able to install both.

If you want to make /usr/bin/rsh -> the rsh-client version, I suggest
you alter the /etc/alternatives/r(sh|cp|login) symlinks. There might be
a "correct" way to do this, but a manual alteration should work OK.
-- 
-jim cheetham = jim at egressive dot com
www.egressive.com, www.effusiongroup.com

More information about the ubuntu-users mailing list