3.3.4.12 klogin

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This entry starts the klogin service when required. This is a kerberized login service, which provides a higher degree of security over traditional rlogin and telnet.

Rationale:

The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the network. However, it is still not as secure as SSH, which encrypts all traffic. If you use klogin to login to a system, the password is not sent in clear text; however, if you su to another user, that password exchange is open to detection from network-sniffing programs. The recommendation is to utilize SSH wherever possible instead of klogin.

If the klogin service is used, you must use the latest kerberos version available and make sure that all the latest patches are installed.

Solution

In /etc/inetd.conf, comment out the klogin entry and refresh the inetd process:

chsubserver -r inetd -C /etc/inetd.conf -d -v 'klogin' -p tcp
lssrc -s inetd && refresh -s inetd

Default Value:

Disabled

See Also

https://workbench.cisecurity.org/files/3525