All respondents suggested against allowing .rhosts in user's home. Reasons were:

o Anyone can masquerade username to gain access from any host if they can

defeat firewall.

o Even if + is replaced by hostname/IP address, hackers can masquerade

hostname/IP.

o You don't have to be root to cause trouble. You can fillup certain

filesystems, invoke bogus processes, etc.

o Once in, hackers can find enough weaknesses to gain superuser access on

your system.

To overcome that, most of the respondents suggested using 'ssh' which can be

found at:

        ftp://ftp.cs.hut.fi/pub/ssh/ssh-1.2.25.tar.gz

        ftp://ftp.gw.com/pub/unix/ssh

        http://www.sdsc.edu/projects/ssh/ssh.html (Info)

        http://www.npaci.edu/Security (Info)

        http://www.ssh.net

        http://www.ssh.org

        http://www.npaci.edu/Security

Thanks to the following for their quick and comprehensive responses:

David Foster <foster@dim.ucsd.edu>

Duncan Phillips <dphillip@halfdome.acs.uci.edu>

James Mularadelis <james.mularadelis@bms.com>

"Boyko, Steve" <SBoyko@nbpower.com>

Shawn Kondel <shawnk@sunfs.math.usu.edu>

Todd Jensen <jensen@erim-int.com>

Adam and Christine Levin <levins@westnet.com>

Daniel Muino <dmuino@afip.gov.ar>

gabriel rosenkoetter <gr@cs.swarthmore.edu>

Carlo Musante <carlo@ucomm.wayne.edu>

kevin@joltin.com

"Salehi, Michael E" <Mike.Salehi@usa.xerox.com>

"Edwards Philip M Ctr AFRL/SNRR" <Philip.Edwards@sn.wpafb.af.mil>

Jon Bernard <jbber@src.uchicago.edu>

"Timothy Lindgren" <Timothy_Lindgren@enron.com>

daniel.polombo@detexis.thomson-csf.com

"Reichert, Alan" <aareichert@tasc.com>

------------ Original Question Follows ----------------

Some of the users have .rhosts file with following entry:

+ <username>

This facilitates them to logon to other systems w/o getting prompted for the

password (NIS is not used).

What security hazard can it pose to the system(s) if the user is a normal user

(i.e. no super user privileges).

Thanks and I will summarize.

...Manjeet