rshd gives away usernames

David Holland (dholland@EECS.HARVARD.EDU)
Fri, 13 Jun 1997 07:17:11 -0400

Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'.
The error reported is different.

Therefore, it's possible to determine which account names are valid.
This is an issue only for particularly paranoid sites that probably
already have rshd disabled, but I thought it would be worth issuing a
warning anyway.

A cursory investigation of some local machines showed the following:

Affected: Linux, NetBSD, Digital Unix 4.0
Not affected: HP-UX, Solaris

Linux's rsh client also seems to have a bug where the second of the
above cases prints random error strings. This will all be fixed in the
next release (unfortunately, not yesterday's release...)

--
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino