COMMAND

    rshd

SYSTEMS AFFECTED

    Linux, NetBSD, Digital Unix 4.0

PROBLEM

    Try

        rsh victimhost -l realuser ls

    and

        rsh victimhost -l nosuchuser ls

    The error reported is different.

    Therefore,  it's  possible  to  determine  which account names are
    valid.   This is  an issue  only for  particularly paranoid  sites
    that probably already have rshd disabled.

    A  cursory  investigation  of  some  local  machines  showed   the
    following:

        Affected: Linux, NetBSD, Digital Unix 4.0
        Not affected: HP-UX, Solaris

    Linux's rsh client also  seems to have a  bug where the second  of
    the  above  cases  prints  random  error  strings.  Credit goes to
    David A. Holland

SOLUTION

    This will all be fixed in the next releases or we can hope so.

    The PAM version  of Linux's rshd  doesn't have this  problem. Some
    of the earlier ones did, but  Red Hat 4.2 has this problem  fixed.
    (and in this case, this was PAM bug, not rshd bug).