Before SSH existed, Unix systems shared trust via .rhosts files: a plaintext list of hostnames and usernames that would be granted login access without a password, on the theory that if a machine said it was trusted-host it probably was. DNS spoofing, IP spoofing, and the general untrustworthiness of networks made this spectacularly dangerous in practice. The Morris Worm exploited it in 1988. Security advisories condemned it throughout the 1990s. SSH replaced it cleanly in 1995. And yet .rhosts files lingered in production environments well into the 2000s, kept alive by legacy scripts and the universal sysadmin reluctance to touch anything that isn’t currently on fire. Some datacentres, it is whispered, still have them.
