The old r-services (rsh, rcp, and rlogin) are considered harmful and should never be used, due to security weaknesses. On the other hand, you cannot just neglect them since legacy applications rely on them. For example, you find legacy engineering applications which use rsh for parallel execution.
You can use PAM to restrict the usage of r-services. First of all, restriction on the r-services can be imposed, but another powerful restriction is to limit the availability of the services to a small group of users.
The basic module for working with the r-services is called pam_rhosts. This module is at least supported by Linux, FreeBSD, and Solaris. It provides the authentication methods found in the original r-services, for example, the use of host.equiv
and rhosts
files. The /etc/host.equiv
file lists which hosts are equivalent to localhost, while a .rhosts
file in the user's home directory can allow the user to log in without giving a password.
The pam_rhosts module can disable...