The Berkeley Systems Design (BSD) Unix implementation, known as BSD Unix, was a major step in Unix's development. Many innovations that began with BSD Unix are now standard on other Unix systems and have been incorporated into other operating systems in the world of TCP/IP and the Internet. One of the innovations of BSD Unix was a small set of command-line utilities designed to provide remote access to Unix systems. This set of utilities became known as the Berkeley r* utilities, because the name of each utility begins with an r for remote. The Berkeley r* utilities are still available on Unix systems, and versions of most of the r* utilities are distributed with OpenVMS, Linux, Windows NT, Windows 2000, and other operating systems. However, even though TCP/IP is becoming more popular and more universal, these TCP/IP utilities have received comparatively less attention. Some of the Berkeley r* utilities are as follows:
The r* utilities were designed in an earlier and simpler time for TCP/IP networking. The creators of these utilities expected that only trusted users would access these utilities. Today, many admins reject the whole concept of a "trusted" user. The r* utilities are generally considered too risky for today's open and interconnected networks and, even on an internal network, you must be very careful about how and when to use these utilities. The r* utilities do have a rudimentary security system that, if implemented properly, offers a measure of protection in very restricted and trusted environments. By the Way In recent years, more secure versions of some of the r* utilities have been developed to meet the need for security in today's Internet environment. Ssh, for example, is a secure remote shell application that replaces rsh and rlogin. Ssh uses encryption for secure authentication over hostile networks. You'll learn more about encryption and other security measures in Hour 20. The r* utilities use a concept called trusted access. Trusted access allows one computer to trust another computer's authentication. In Figure 15.3, if Computer A designates Computer B as a trusted host, users who log in to Computer B can use the r* utilities to access Computer A without supplying a password. Computer A can also designate specific users who will be trusted users. Trusted hosts and users are identified in the /etc/hosts.equiv file of the remote machine to which the user is attempting to gain access. The .rhosts file in each user's home directory can also be used to grant trusted access to the user's account. Figure 15.3. Unix trusted access.By the Way Because the /etc/hosts.equiv file and the .rhosts file grant access to system resources, they are a major target for network intruders. See Hour 19, "What Hackers Do," for more on network attacks. The vulnerability of the hosts.equiv file and the .rhosts file is one reason why the r* utilities are no longer considered secure. The following sections discuss some of the Berkeley r* utilities. RloginRlogin is a remote login utility. You can use rlogin to connect with a Unix host that is running the server daemon rlogind (d stands for daemon). Rlogin serves the same purpose as Telnet, but rlogin is considerably less versatile. Rlogin is designed specifically to provide access to Unix systems, whereas Telnet, which is covered under a TCP/IP standard, can have a broader application. Also, rlogin does not provide some of the configuration negotiation features available with Telnet. A significant feature of rlogin is that, because it uses the r* utilities security model, it supports remote login without a password. No-password access is a property of all r* utilities, but some users consider a passwordless terminal session a little more unsettling than some of the other functions achievable through the r* utilities. Nevertheless, the r* utilities' security model does limit access to trusted users. By the Way It is important to keep in mind that network operating systems such as NetWare and Windows NT/2000 also provide methods for passwordless access to network resources after the user has achieved some form of initial authentication. The Kerberos authentication scheme, described in Hour 20, provides passwordless access to network resources on Unix/Linux, as well as Windows, networks. Many of the benefits of the r* utilities can now be achieved through other, more secure methods. The syntax for the rlogin command is as follows: rlogin hostname where hostname is the hostname of the computer to which you'd like to gain access. If no username is specified, the username defaults to the user's username on the local computer. Otherwise, you can specify a username as follows: rlogin hostname -l username where username is the username you want to use for the login. The server daemon rlogind, which must be running on the server machine, then checks host.equiv and .rhosts files to verify host and user information. If this authentication is successful, the remote session begins. RcpRcp provides remote file access to Unix systems. Rcp is not as versatile or as widely used as FTP, but it is still sometimes used for file transfer in the Unix world. See Hour 14 for more on rcp. RshRsh lets you execute a single command on a remote computer without logging in to the remote computer. Rsh is short for remote shell. (A shell is a command interface to the operating system.) The rshd daemon, running on the remote computer, accepts the rsh command, verifies the username and hostname information, and executes the command. Rsh is useful when you want to enter one command and don't need or want to establish a terminal session with the remote computer. The format for the rsh command is rsh -l username hostname command where hostname is the hostname of the remote computer, username is the name to use when accessing the remote computer, and command is the command you would like to execute. The username (preceded by the -l ) is optional. If you do not include a username, it will default to the name on the local host as follows: rsh hostname command RexecRexec is like rsh in that it instructs the remote computer to execute a command. Rexec uses the rexecd daemon. The syntax for the rexec command is as follows: rexec hostname -l username command where hostname is the name of the host, username is the user account name on the remote computer, and command is the command you want to execute. If you omit -l username, the username will default to the username on the local computer. RuptimeRuptime displays a summary of how many users are logged in to each computer on the network. Ruptime also lists how long each computer has been up hence the name r-up-time and displays some additional system information. To generate a ruptime report, you need only enter ruptime Both ruptime and rwho (see the next section) use the rwhod daemon. Actually, each computer on the network has an rwhod daemon that broadcasts regular reports of user activity. Each rwhod daemon receives and stores the reports from other rwhod daemons for a network-wide view of user activity. RwhoRwho reports on all users who are currently logged on to network computers. Rwho lists usernames, the computer each user is logged in to, the time of login, and the time elapsed since login. The syntax of the rwho command is simply rwho The default report excludes users whose terminals have been inactive more than an hour. For a report on all users, use the -a option: rwho -a Rwho, like ruptime, uses the rshod daemon. |