All the Perl that's Practical to Extract and Report

rlogin -l root

ajt on 2005-06-15T20:13:11

We have a senior SAP/AIX consultant at work who thinks rlogin -l root is perfectly sound. He also allows any x-client to connect to a running xserver, and happily rcp files around the site. Any attempt to get him to use SSH is greeted with considerable resistance.

Is it just me or does it give you the shivers too?

Solution: ettercap

merlyn on 2005-06-15T23:35:36

Download and install Ettercap. Leave it running in plain sight. Next time he uses the rlogin protocol, show how ettercap displays his password in the clear.

I think that'll prove the point.

Re:

Aristotle on 2005-06-16T00:33:18

Yeah, or dsniff, which was developed exactly for this purpose: to convince a University’s admins that there’s a real reason to mandate SSH and retire the r* tools.

Re:

ajt on 2005-06-16T09:10:34

SAP need convincing first...

Re:Solution: ettercap

ajt on 2005-06-16T08:56:21

I've told him that telnet as root is a really bad idea, I nearly fell out of my chair when I realised he was r* as root, and wanting to use NFS with root enabled. When ever I complain, he says we are behind a firewall and all the SSH stuff is just rubish from Linux - which isn't real Unix anyway....

The real problem is a culture clash. He thinks Linux is a toy, and that SSH/sudo are pains. To him only AIX/Solaris are "real" solutions, and that plain telnet/r tools/wide open X are all you need. To me I use SSH by default, never login as root - only sudo, I don't even install r* tools, and AIX/Solaris are expensive dinosaurs (though useful skills to have on ones CV).

It's not helped by the fact that SAP is a technical dinosaur too, it relies on the r tools, and wide open NFS shares. I think the later versions are more secure, but the one we run is antique.

Re:

Aristotle on 2005-06-16T10:13:41

Ask him how much he is willing to bet that noone will ever break that firewall. Ask him how much he is willing to bet that no user will ever be tempted to sniff for passwords.

Also, both sudo and SSH originate in BSD.

sudo in particular is really, really old (from 1980 – far older than the Linux kernel, older even than the GNU project).

Solaris ships with both.

Re:

ajt on 2005-06-16T12:09:23

Our firewall has Windows notebooks connecting through it via VPN. Personally I consider it to be meaningless, given that remote notebooks cannot be trusted. I believe the firewall even runs on a Windows server, though I could be wrong, so I don't trust in in that respect either.

I know SSH comes from OpenBSD, but to him it's somehow "tainted goods" now it's used on Linux. I didn't know that sudo was that old, but he claims it doesn't work properly on AIX 4.x, so he never uses it.

I suppose it mostly as case of "I did it this way a decade ago - why should I change?". Add to this the "If it doesn't have IBM/HP/Sun on the box, it's not worth using" attitude, and you can see why Red Hat on x86 just doesn't seem to cut it.

I can just about get him to accept that BSD is Unix, but only then as a stepping stone to real commercial Unix. I know that the Linux kernel and BSD kernel are different, but an awful lot of the userspace code is now common.

Re:

Aristotle on 2005-06-16T13:00:36

Actually the userspace still differs vastly on the very lowest level (init, the toolbox, and stuff like that). For anything above the bare metal you’re right, though.

Uhm, the setup running in your place sounds like a disaster waiting to happen. If I was in your shoes, assuming you have any responsibility for any of the systems, I’d be looking for ways to CYA.

Re:

ajt on 2005-06-16T21:04:33

I've made my concerns known...

Re:

drhyde on 2005-06-17T09:14:11

Categorising this as a "disaster waiting to happen" reminds me of a discussion I had recently in the comments on a friend's Live Journal - IT people seem to be not very good at evaluating risk.

The security (or lack thereof) at ajt's employer doesn't sound any different to what it was two years ago when I started work there (I have since moved on). There were no major incidents in the year I was there and I think it unlikely that there have been since.

Re:

Aristotle on 2005-06-17T10:13:52

“I never fasten my seat belt.” “That’s a disaster waiting to happen.” “You are not very good at evaluating risk. I’ve never been in an accident.”

Re:

drhyde on 2005-06-17T10:54:24

Well done. You managed to miss the point.

Re:Solution: ettercap

drhyde on 2005-06-17T09:08:04

I'm sure I remember your lovely employer having a policy on password use. I'm quite certain that you can find something suitable in there to bash him over the head with.

Use Facts

include on 2005-06-16T15:08:07

Hello atj, i had a boss like that,, and in that time i used facts like: Sans Institute
rlogin is listed in this report since it's born :)

" Remember Star Trek's transporter mechanism? "Beam me up, Scotty" allowed Jim Kirk, Spock, and their friends to be transported from one place to another instantaneously. Well, that is science fiction, but it is an analogy that is useful in describing how computer systems vulnerabilities are exploited. by Larry Rogers"

Now as you can see,, there are many people making Security CheckLists,, and all they talk about plain-text-logins :).

CERT
AusCERT
Infosyssec
SecurityMap

:) if your boss have some time to spend please check this out :) Unix Timeline, and seek where BSD enters in the Unix History :), dont get surprised :)

Meanwhile if you are trying to find some good app to sniff your network,, ok go for it,, but then just make sure anybody else sniffs your network :).

some toolsFreeBSD Ports Collection/Security

bye and good luck

Re:Use Facts

ajt on 2005-06-16T21:14:03

Some how I don't think facts can help in this case...

Sad isn't it?