3.1.5.13 kshell

Information

This entry starts the kshell service when required. This is a kerberized remote shell service, which provides a higher degree of security over traditional rsh.

Rationale:

The kshell service offers a higher degree of security than traditional rsh services. However, it still does not use encrypted communications. The recommendation is to utilize SSH wherever possible instead of kshell.

If the kshell service is used, you should use the latest kerberos version available and must make sure that all the latest patches are installed.

Solution

In /etc/inetd.conf, comment out the kshell entry and refresh the inetd process:

chsubserver -r inetd -C /etc/inetd.conf -d -v 'kshell' -p tcp
lssrc -s inetd && refresh -s inetd

Default Value:

Disabled

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 0ff4a49b68a63cafd2e302387b9a61651a3af83d92b20b68ee171ad0e0685130