RSH on Windows - revisited

  • Article

There are differences between Windows RSH and Interix RSH; I discussed RSH on SUA here.

Windows RSH only supports etc/hosts.equiv mechanism, although it is called as %windir%system32\drivers\etc\.rhosts. It has system wide implication. 

It doesn’t support/accept the fully qualified windows name syntax (ie domainName\userName ) in all situations.

Windows RSH allow the name in “-l name” option from the client (rsh) to be anything other than the name of the user that invoked the rsh client.

Windows Remote Shell service requires that users on server machine store there password using rshpswd utility, for clients to execute the rsh commands properly. This utility associates the user’s password with fully qualified name (localMachine\userName) of the user and stores in LSA secret area.

Windows remote Shell Service tries to execute the command first in the context of “localMachine\userName”. If this user’s password had been saved using rshpswd and if process can’t be created, it tries as domainName\userName with user’s saved password, where “domainName” is the machines login domain.

The shell used to execute the command is windows command shell cmd.exe.

Important: The format of /etc/hosts.equiv and ~/.rhosts file

On Interix both /etc/hosts.equiv and ~/.rhosts file supports only simple format as specified below –

hostname [username]

If the form:

hostname

is used, then users from the named host are trusted. That is, they may access the system with the same user name as they have on the remote system. This form may be used in both the /etc/hosts.equiv and .rhosts files.

If the line is in the form:

hostname username

then the user named "username" from the system called "hostname" can access the system. This form may be used in individual .rhosts files to allow remote users to access the system as a different local user. If this form is used in the /etc/hosts.equiv file, the named remote user will be allowed to access the system as any local user.

NOTE:

a. Historically and on most other UNIX systems the format is one of:

[+ | - ] [ hostname | @netgroup1]

[+ | - ] hostname | @netgroup1 [ [+ | -] [ username | @netgroup2]]

However, Interix does not yet support this historical functionality.

b. Only one entry per line is permitted.

c. Lines longer than 384 characters are ignored.

d. For security reasons, these files will be ignored in lack of proper permissions and/or ownership.

e. /etc/hosts.equiv is ignored, if access is being requested for super user privilege.