I'm setting up an intentionally insecure server for an information security class. I'm basing it off of the metasploitable vm, but that is too easy, so I'm trying to copy some stuff off of it.

I would like to let the users rsh without a password, regardless from what machine they are trying to login with.

Here's what I have so far.

Rsh is running, but it prompts for passwords.

The vulnerable user is named Steve. His ~/.rhosts file says "+ +".

A lot of sites say I have to specify IP address from trusted hosts in the /etc/hosts.equiv file, but metasploitable doesn't do that, and I want to have the server accessible from any ip address.

I created a user named steve on my Backtrack VM that I am trying to login from.

Are you NOT using any hosts.deny (or anything like that in PAM or xinetd)?

Assuming you've got an unencumbered process listening then either .rhosts or hosts.equiv should be able to give access to all hosts with a + sign.

Is the username the same (case-sensitive Steve != steve)?

Have you both rsh(shell) and rlogin(login) running? An rsh command with no arguments becomes an rlogin command (but "rsh somewhere sh -i" is a remote command that gets you a shell).

http://www.porcupine.org/satan/admin...-cracking.html

/etc/hosts.deny is empty.
The username I am using is the correct case.

The command I am using to connect is

$ rsh -l steve <ip address>
and
$ rlogin -l steve <ip address>

They both prompt for a password.

The permissions for /home/.rhost are

600 steve steve

I am not familiar with xinetd or PAM configurations, so I have not modified any of them. Which files should I look at?

Here's a good Chapter on xinetd http://www.linuxtopia.org/online_boo...rappers-xinetd
PAM from the same manual http://www.linuxtopia.org/online_boo...l5_ch-pam.html

Basically http://www.linuxtopia.org/online_boo...dministration/

rsh without a command switches to rlogin.

Also check for a .rhosts file in the users home directory. If the remote system is not entered you are supposed to be denied.