We are using AIX operating system. I found that users are having
attributes of rlogin = true. Also, we noted that users are connected
to the host using a terminal emulation software that uses telnet
connection. We have only 1 host system. Am I correct to say as
below:-

1. Users having attribute of rlogin = true means that they are able to
remotely login to the host to perform their duties from their
terminals without the need to be stationed in the server room where
the host resides.
2. Remote login made via telnet is insecure and has no protection,
encryption or any means to protect data, logins, passwords or any
activity conducted from being sniffed by people in control of
intermediate hosts.

When I gave the above scenario to the IT expert in our company and
recommended them to have a SSH connection, below is his comments:

"When we have successfully logon server A and wish to logon server B
without terminating the original logon, then we have to use "rlogin".
We are not using this features in our daily operation because we have
only one host."

I'm confused… Does it mean that in a single host situation, remote
terminals (lets say from different floors of the Company) using the
telnet session of the terminal emulation software can still access the
host even if the rlogin = false? If users can still access the host,
are there any risks involved in this situation?

Please advice. Thank you.

Regards,
TC

ftengcheng@yahoo.co.uk (TC) wrote in message news:<da9f7573.0410251859.599fd415@posting.google. com>...
> We are using AIX operating system. I found that users are having
> attributes of rlogin = true. Also, we noted that users are connected
> to the host using a terminal emulation software that uses telnet
> connection. We have only 1 host system. Am I correct to say as
> below:-
>
> 1. Users having attribute of rlogin = true means that they are able to
> remotely login to the host to perform their duties from their
> terminals without the need to be stationed in the server room where
> the host resides.
> 2. Remote login made via telnet is insecure and has no protection,
> encryption or any means to protect data, logins, passwords or any
> activity conducted from being sniffed by people in control of
> intermediate hosts.
>
> When I gave the above scenario to the IT expert in our company and
> recommended them to have a SSH connection, below is his comments:
>
> "When we have successfully logon server A and wish to logon server B
> without terminating the original logon, then we have to use "rlogin".
> We are not using this features in our daily operation because we have
> only one host."
>
> I'm confused? Does it mean that in a single host situation, remote
> terminals (lets say from different floors of the Company) using the
> telnet session of the terminal emulation software can still access the
> host even if the rlogin = false? If users can still access the host,
> are there any risks involved in this situation?


When you say remote terminals, are you refering to serially attached
terminals, X-Terminals, or what? If you are referring to PC's running
some terminal emulation software, such as telnet, across the network
then "rlogon = true" is required. Directly attached terminals do not
require "rlogin = true" but do require "login = true".

On a closed network, there is generally not a problem running telnet.
The problem is when you run telnet across the internet or between
extranet's.

--
Dana French dfrench@mtxia.com
Mt Xia Technical Consulting Group http://www.mtxia.com
100% Spam Free Email http://www.ridmail.com
MicroEmacs http://uemacs.tripod.com
Korn Shell Web http://dfrench.tripod.com/kshweb.html

ftengcheng@yahoo.co.uk (TC) wrote in message news:<da9f7573.0410251859.599fd415@posting.google. com>...
> We are using AIX operating system. I found that users are having
> attributes of rlogin = true. Also, we noted that users are connected
> to the host using a terminal emulation software that uses telnet
> connection. We have only 1 host system. Am I correct to say as
> below:-
>
> 1. Users having attribute of rlogin = true means that they are able to
> remotely login to the host to perform their duties from their
> terminals without the need to be stationed in the server room where
> the host resides.
> 2. Remote login made via telnet is insecure and has no protection,
> encryption or any means to protect data, logins, passwords or any
> activity conducted from being sniffed by people in control of
> intermediate hosts.
>
> When I gave the above scenario to the IT expert in our company and
> recommended them to have a SSH connection, below is his comments:
>
> "When we have successfully logon server A and wish to logon server B
> without terminating the original logon, then we have to use "rlogin".
> We are not using this features in our daily operation because we have
> only one host."
>
> I'm confused? Does it mean that in a single host situation, remote
> terminals (lets say from different floors of the Company) using the
> telnet session of the terminal emulation software can still access the
> host even if the rlogin = false? If users can still access the host,
> are there any risks involved in this situation?
>
> Please advice. Thank you.
>
> Regards,
> TC

As far as I know, rlogin=true mean that user can perform rsh. Rsh will
allow users perform rsh and rcp (remote copy). Before this can be
done, there must a .rhosts file exist in directory /. Usually in a
single host environment, (I mean no other UNIX box), rsh is disable
due to security reason. But don't disable this if yr box is running
HACMP 4.4.1!

SSH is an alternative to telnet and rsh. I've have all theses services
in most of my UNIX boxes. Control access is done based on requirement.
Some use ssh (disable telnet), some use telnet (no ssh), some even
have all of it but we control the access by using firewall.

I'm a bit confused with these questions. Are you doing IT auditing in
yr company? If that is the case, I suggest you do more studying on
UNIX before recommending any changes to IT team. Have a discussion
with them first and try to identify application requirement. The most
important thing is the application. If server hardening is done
without carefully studying system and application requirement, this
will result a disaster. You will see yr application is not working
correctly or may not working at all.

Opps, sorry. Wrong info! Yes, rlogin=true means that user can remotely
login the server using telnet, rsh, rlogin and also ssh.

Second question, yes. Telnet does not provide any protection.

Sorry, I do get slow and foolish when reading emails in the morning!

Rgds

ftengcheng@yahoo.co.uk (TC) wrote in message news:<da9f7573.0410251859.599fd415@posting.google. com>...
> We are using AIX operating system. I found that users are having
> attributes of rlogin = true. Also, we noted that users are connected
> to the host using a terminal emulation software that uses telnet
> connection. We have only 1 host system. Am I correct to say as
> below:-
>
> 1. Users having attribute of rlogin = true means that they are able to
> remotely login to the host to perform their duties from their
> terminals without the need to be stationed in the server room where
> the host resides.
> 2. Remote login made via telnet is insecure and has no protection,
> encryption or any means to protect data, logins, passwords or any
> activity conducted from being sniffed by people in control of
> intermediate hosts.
>
> When I gave the above scenario to the IT expert in our company and
> recommended them to have a SSH connection, below is his comments:
>
> "When we have successfully logon server A and wish to logon server B
> without terminating the original logon, then we have to use "rlogin".
> We are not using this features in our daily operation because we have
> only one host."
>
> I'm confused? Does it mean that in a single host situation, remote
> terminals (lets say from different floors of the Company) using the
> telnet session of the terminal emulation software can still access the
> host even if the rlogin = false? If users can still access the host,
> are there any risks involved in this situation?
>
> Please advice. Thank you.
>
> Regards,
> TC