× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Hmmm.. Unless I'm missing something, rexec is not "part of rsh". They are two separate things that have similar capabilities. Both insecure and should not be used outside of a "trusted" network.

Likewise, SSH is a completely separate thing with similar capabilties. SSH, however, is secure.

SSH and RSH both have the ability to forward X streams (X is short for The X Window System, which is not properly called "XWindows".) However, rexec does not. I'm having a hard time understanding what rexec has to do with the link Rob provided.

For sure, having rexec open should be considered a security "ding." Yes, IBM does use rexec for things like RUNRMTCMD if you are sending remote commands from another box to this IBM i, this server would be needed. (But it is not needed if you are using the RUNRMTCMD client from this box to run commands on another machine.) But, if you're doing that, you really should consider replacing it with something like SSH, as rexec is not secure. Only use rexec if you know and trust everyone who has access to the network, and outside users cannot get in (except maybe via VPN.)

-SK

On 4/21/2016 1:55 PM, Justin Dearing wrote:
Pretty rexec is part of rsh, unencrypted ssh. Don't use it. Password
transmitted in plain text.

This is a shut it of and see if people complain kind of thing because it's
unpopular and insecure. I don't blame your auditors getting upset at this.

On Thu, Apr 21, 2016, 14:47 Rob Berendt <rob@xxxxxxxxx> wrote:

I'm getting dinged because I allow this. Don't even really know what this
is.
Uses port 512.

NETSTAT *CNN
Connection type . . . . . . : *TCP
Local address . . . . . . . : *
Local port . . . . . . . . . : 512
Current
Name User Number Type User
QTRXC00004 QTCP 430542 *BCH QTCP

Joblog does mention
RTGDTA(REXECSVR)

Does this mean it's the remote command executer? Or just one of a few
different remote command executors? IOW, does it handle PC and *x remote
commands or does it also handle SBMRMTCMD?
I see that I do not have this running on many lpars. Of course, it's
running on our main production lpar. I wonder if I'm using it now or if
was something just started a decade or so ago to help with installation of
some product which may have needed it at the time for it's installation.
Think weird stuff like WAS, Quickr, Sametime, etc. Is there an access log
which holds this stuff?

CVE-1999-0526
CVSS v2 Base Score: 10.0 HIGH
See also: http://www.kb.cert.org/vuls/id/704969

Audit report says options are:
- Disable X11 from listening on TCP ports
- Firewall X11's TCP ports
- Restrict access using xhost -
I'm thinking xhost and firewall are basically the same - restrict which IP
addresses can connect. The difference being one you do with your network
guy and the other you do with a table on your IBM i.
I get a little tired of having to authorize each user of each port
individually.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.