UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The klogin daemon must be disabled on AIX.


Overview

Finding ID Version Rule ID IA Controls Severity
V-91397 AIX7-00-003078 SV-101495r1_rule Medium
Description
The klogin service offers a higher degree of security than traditional rlogin or telnet by eliminating most clear-text password exchanges on the network. However, it is still not as secure as SSH, which encrypts all traffic. If using klogin to log in to a system, the password is not sent in clear text; however, if using "su" to another user, that password exchange is open to detection from network-sniffing programs. The recommendation is to use SSH wherever possible instead of klogin. If the klogin service is used, use the latest Kerberos version available and make sure that all the latest patches are installed.
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2019-04-29

Details

Check Text ( C-90551r1_chk )
From the command prompt, execute the following command:
# grep "^klogin[[:blank:]]" /etc/inetd.conf

If there is any output from the command, this is a finding.
Fix Text (F-97595r1_fix)
In "/etc/inetd.conf", comment out the "klogin" entry by running command:
# chsubserver -r inetd -C /etc/inetd.conf -d -v 'klogin' -p 'tcp'

Restart inetd:
# refresh -s inetd