rlogin Service Enabled
Table of Contents
rlogin Overview
rlogin is the predecessor to telnet and SSH. It is part of the Berkley r-commands released in 1981. These commands are widely regarded as insecure and do not implement security controls expected of modern systems.
rlogin vulnerabilities
Some of the most notable risks associated with rlogin include the following:
- Communication is unencrypted, leaving sensitive information vulnerable to eavesdropping and tampering.
- rlogin supports authentication via the
.rhosts
and/etc/hosts.equiv
files which may allow any use from an origin to login without a password. - rlogin is considered outdated and obsolete using such software can pose reputational risk.
Pentesting rlogin
Additionally, because of the file-based authentication, any scenario where an attacker can write to a user directory will also allow them to bypass authentication via rlogin. Remember that rlogin reads hosts.equiv
as a global configuration, but also reads user-based .rhosts
files for user-level authentication.
To confirm if a user can login via rlogin the following command can be used:
rlogin <host> -l <username>
Consider that a simple entry of +
to /etc/hosts.equiv
can allow anyone to login as any user without authentication.
rlogin Risk
rlogin is widely considered high risk from both internal and external network perspectives. Although the core risks of unencrypted communication are similar to telnet (which may often be considered medium risk), the risk associated with file based authentication significantly elevate the risks associated with the rlogin service.
Vulnerability Remediation
It is recommended that rlogin is disabled. On Linux systems this can be commented out in /etc/inetd.conf
.