"hosts allow" secure?

Dave Dykstra dwd at bell-labs.com
Thu Jan 3 09:44:45 EST 2002

On Sun, Dec 30, 2001 at 05:32:28AM -0500, Philip Mak wrote:
> How secure is "hosts allow"?

It's not.

> I have "hosts allow = bkup" in my rsyncd.conf. Then in /etc/hosts I have:
>	bkup
> This makes only able to connect to rsync.
> Could someone spoof their hostname somehow to trick rsync into letting
> them in, though? e.g. If they reverse DNS says that they're called "bkup".

In general somebody could spoof the DNS, although not if you have it in
/etc/hosts like that (assuming /etc/nsswitch.conf is set to give priority
to files over dns).  If the bkup machine is on the same subnet in a secured
machine room, it's also pretty unlikely that somebody would be able to hijack
a live session.  However, if you're going over a long distance network it's
vulnerable.  There's no host verification or session integrity.  If you can,
use SSH.

This is really no different than tcp wrappers.

- Dave Dykstra

More information about the rsync mailing list