Stanford University School of Earth Science
 
Home
News
New Users
Policies
Network File Server
Web Server
Get Help
Net Connections
Your Macintosh
Your Windows PC
Your Unix/Linux System
Other School Resources
Using Unix
    Overview
   Documentation
   Accounts
   Using the Shell
   Using X-Windows
   File Manipulation
   Net Commands
   Editing Text
   Formatting Text
   Printing
   Filters & Utilities
   Programming

Authentication with the r commands

Copyright Phillip Farrell. Last revision August 3, 2004

All three r programs require a method for authenticating that you have permission to login or execute programs on the remote machine. They do not prompt for passwords. Rather, each system first assumes that you have the same login account name on both machines, and then verifies that your account on the remote machine is equivalent to your account on the local machine. Two methods of account verification are provided: system-to-system, or user-to-user.

The systems managers of the two machines can cooperate to establish their machines as "equivalent". This requires common names and id numbers for user accounts. Then every user on one machine can use the r commands to reach the other machine without further setup. This is normally used between multiple computers in the same research group.

Alternatively, if the user has accounts on two machines that have not been made equivalent by the managers, he can establish equivalence between his two personal accounts only. In this case, the accounts do not need to have the same name. The mechanism is to create the file .rhosts in his home directory on each machine. This file contains a list of all the machines and account names that are his and that should be considered equivalent. This file must contain a separate line for each machine/account which is to participate in the account equivalence, listing the fully-qualified network name of the machine and the name of his login account on that machine. Then this file must be copied to the home directory of his account on each machine. The user can use ftp, for example, to initially push a copy to his account on each machine. For example, if the gp111ins class account existed on both pangea and toquima, the .rhosts file for gp111ins would contain the lines:

    pangea.stanford.edu gp111ins
    toquima.stanford.edu gp111ins

Put only one space between the machine name and account name; do not put any extra spaces before the machine name or after the account name. This file would have to be created in the gp111ins home directory on both pangea and toquima.

Once this .rhosts file is created by the user in the home directory on each machine where he has an account, he can then use the r commands among his accounts on those machines.

The r commands avoid one type of security problem -- passing your password in clear text over the network. But this kind of system or account equivalence creates another type of security hole. If a cracker breaks into an account on one machine, he can exploit this equivalence to gain access to other machines. Some systems may have policies limiting the use of .rhosts files to just machines within a specified group, or may disable these services entirely.

On the Stanford campus, if the two Unix computers both have the kerberos authentication software installed, you can use klogin and krsh instead of rlogin and rsh. These kerberized versions provide complete session encryption and authenticate you using your kerberos "ticket" (from your initial login), for additional network security.

 


Comments?

Stanford University    |