Manualshelf

HP-UX HB v13.00 Ch-10 - Network Services

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
11121314151617181920
HP-UX Handbook Rev 13.00 Page 20 (of 26)
Chapter 10 Network Services
October 29, 2013
1500000000 bytes sent in 13.91 seconds (105324.47 Kbytes/s)
Firewall issues- Once a control connection is established to ftp on the server the issue, ftp
can operate in either ACTIVE mode or PASSIVE mode. In ACTIVE mode ftp client
firewalls will be asked to allow an incoming connection coming from a privileged port
(20). In a PASSIVE connection the ftp client asks for anonymous ports on the ftp server.
To understand the implications, there is a good tutorial on an external site:
http://slacksite.com/other/ftp.html (external link)
Restricting user access There are many ways provided to allow/disallow what an ftp
client user login or anonymous user can do once logged in. The mechanism for
configuring this is documented in the ftpaccess man page. This is advanced
configuration which will not be covered in this document.
r-commands
The Berkley distribution is the source for the commands rexec, rlogin, and remsh. The client
sending the r-command is given only a cursory inspection of its identity (forward and reverse
lookup of incoming IP address to prevent spoofing) and it provides no privacy since everything,
including, the clear text password can be picked up with a network trace. There are Kerberos
versions of klogin and kshell which will not be covered in this document.
They are launched via the inetd process and are configured via /etc/inetd.conf
login stream tcp6 nowait root /usr/lbin/rlogind rlogind -B /etc/issue
shell stream tcp6 nowait root /usr/lbin/remshd remshd
exec stream tcp6 nowait root /usr/lbin/rexecd rexecd
These are well-known services:
exec 512/tcp # remote execution, passwd required
login 513/tcp # remote login
shell 514/tcp cmd # remote command, no passwd used
The exec service is mentioned here only since it is not widely used. The main attraction of the r-
commands is the ability to login without providing a password. This is provided by means of
establishing host equivalency via hosts.equiv file for non-privileged users or via providing
.rhosts in the home directory of the desired root or non-privileged user.
In either /etc/hosts.equiv or $HOME/.rhosts the format is the same.