Tru Gurus,
First let me say that I appreciate the responses from everyone on
using ssh vice rsh since rsh is fundamentally insecure. We recommended ssh
a few months ago when Unfortunately, we cannot implement rsh until it has
been properly evaluated by our "real-lab" and they have been looking at it
for quite some time. We have been given interim permission to use rsh until
ssh is approved since we are cut off from the rest of the world by a
gazillion firewalls and the administrators are the only people to have
actual accounts on the servers. I received a slap on the wrist from the
following:
Anthony Talltree,
Chris Ruhnke,
Alan Davis,
Steve VanDevender,
sysadmin_at_astro.su.se,
Ray Donovan, and
Kazuro Furukawa
Thank you, sincerely, for your comments on security. Security is one area
that is usually overlooked, but this list, as always, was right on top of
things.
That being said, Kazuro Furukawa and system administration account
[sysadmin_at_astro.su.se] provided the responses that actually solved my
problem. Here is Kazuro Furukawa's response (including the "Oh-my-God,
you're using rsh!" caution)
I surely don't recommend to send a password with rsh. Any one can
monitor the password on your network. If you really want to do it,
send the command as stdin to the remote shell not to log the password.
Following is a piece of a shell script.
rsh=/usr/ucb/rsh
remoteuser=
# Execute commands
if [ "$background" = "no" ]; then
echo "($commands)" | \
$rsh $remoteuser $remotehost /bin/sh
else
echo "($commands)" '> /dev/null 2>&1 &' | \
$rsh $remoteuser $remotehost /bin/sh &
fi
Tru64 Gurus,
I have a unique question about the logging of rsh events. I
recently wrote a ksh script that makes an rsh call to expect on all of our
servers to remotely change passwords. The problem with this is that the rsh
call is getting logged (by syslogd in auth.log) along with the expect call
and the arguments, which happen to be the username and the password! The
security audit team had a field day with me! My question is this: I don't
want to eliminate the rsh entry from the audit logs but I would like to
eliminate, preferably, the arguments to the expect call, or, if need be,
eliminate the expect call and the parameters from the log. Is there a way
to do this? Thanks in advance.
Mike Mehall
SAP Basis Team
Northrop Grumman Corp.
410-765-0355
michael_r_mehall_at_mail.northgrum.com
Received on Tue Jan 22 2002 - 18:34:29 NZDT