The BSD r-tools (rsh/remsh, rcp, rlogin, rdist, etc.) have traditionally been used to make remote connections to other machines. They rely on IP-based authentication, which means that you can allow anyone with (for instance) root access on 192.168.1.1 to have root access on 192.168.1.2. Administrators and other users have traditionally found this useful, as it lets them connect from one host to another without having to retype a password.
The problem with IP-based authentication, however, is that an intruder can craft "spoofed" or faked packets which claim to be from a trusted machine. Since the r-tools rely entirely on IP addresses for authentication, a spoofed packet will be accepted as real, and any hacker who claims to be from a trusted host will be trusted and given access to your machine.
These tools also transmit all of your data in clear-text, including passwords.
Tools are now available which allow you to spoof (fake) IP addresses as well as to monitor and/or hijack protocols which use clear-text. All of the same functionality can be found with the more secure replacement commands ssh and scp. Because of these insecurities, ordinary users should not be allowed to use the r-tools, and admins should use them only in cases where there are no other connection methods available.
Bastille can remove the permissions on the r-tools so that ordinary users cannot run them and admins will have to take additional steps to re-enable them when needed. This will disable the "client" side of these tools, so that people cannot use them to connect to other machines. |