Host Security  «Prev  Next»

Lesson 7Insecure remote login
ObjectiveDescribe Insecure Remote Login Services

Insecure remote login using Redhat Linux

Remote login is provided by a number of network services. These services allow users to connect and use a machine from across the network. However, many of these services give crackers an easy way to access your machine, by either sending everything in clear text or by allowing anonymous logins.
The information below describes various vulnerabilities opened by remote login services, password-free logins, and allowing other machines to access your system.

Common remote login services

Telnet is the most common remote login service. Your password and everything you send, including other passwords, is transmitted in clear text across the network. Linux utilities and functions, such as rlogin, rsh, and rexec allow users to easily login and execute commands on remote machines. However, everything is transmitted without encryption.
To create a secure environment, disable these utilities.

Disable password-free logins

You should never provide public, password-free accounts on your machine. If you must provide public access, use a face-to-face password transfer and change your passwords often. To disable password-free login, edit the files /etc/pam.d/rlogin and /etc/pam.d/rsh and reconfigure the security settings contained in these files.

Remote Login Using Linux

View the slide show below to review how to disable password-free logins.

Red Hat Reference
  1. This command displays the contents of the rlogin and rsh PAM authorization files.
  2. This line indicates that users can use a .rhosts file in their home directory to allow password-free logins.
  3. This line indicates that if the user is trying to log in as root, the tty on which they are logging
  4. This line will cause the system to ask the user for a password and will check the password.
  5. This line checks to see if the file /etc/nologin exists.
  6. This line instructs the system to compare the user's attributes (stored in the password database) against system limits.
  7. This line subjects a newly changed password to a series of tests to ensure that it cannot be easily determined by a dictionary-based password cracking program.
  8. This line specifies that if the login program changes the user's password, it should use the pam_pwdb.so module to do so.
  9. This line specifies that the pam_pwdb.so module should be used to manage the session.

Disabling Password Logins

.rhosts and /etc/hosts. equiv

The /etc/hosts.equiv file lists "administratively equivalent" hosts, from which users can connect without a password; for example, bob on machine1 can connect as bob on machine2 without a password, if machine1 is listed in machine2''s /etc/hosts.equiv file. The .rhosts file in anyone's home directory lists the users and the machines that can connect as that user without using a password. The authentication service used to determine whether to allow a connection is totally insecure. Even if connections are restricted to just the local network, a compromise of one machine on your network can instantly lead to a compromise of your entire network.
Question: What command is inserted into the /etc/pam.d/rlogin file to disable password-free logins?
Answer:
[redhat@localhost redhat]$auth required /lib/security/pam_nologin.so
The next lesson discusses secure remote login services.