Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

enable/disable root rsh access

378 views
Skip to first unread message

Thomas Gagne

unread,
Dec 6, 2000, 3:00:00 AM12/6/00
to
I've just spent the better part of two hours searching through deja trying to
find out how I can enable root rsh acces from machine devel to machine qa so I
can run the rdist command. Various suggestions were to modify /.rhosts,
/etc/hosts.equiv, and to comment-out a line in /etc/pam.d/login. None of
these seem to work.

The login file did allow me to telnet to qa and login in as root, but it did
not permit unfettered access for rsh.

Does anyone know how this feature can be enabled then disabled again? We only
want to permit it so we can run the rdist command.

--
.tom


Steve Houseman

unread,
Dec 6, 2000, 3:00:00 AM12/6/00
to
Just a thought ...

- the .rhosts file is supposed to be used to grant access
and that would be in the home directory of root which
(check and see) is probably /root
- the pam access is normally for the specific service ie
/etc/pam.d/rsh not login .

and the complete turn off for most queries is strace ...
(probably the best debugging tool out there)
assuming that rsh is run from inetd then attach strace to it
and you will see the actual files etc referenced ...

strace -o/tmp/dbin -f -t -p<inetd_pid>

fire in your request , ctl-C detaches when done, and /tmp/dbin
will contain (amongst tons of "noise") the files used.

Cheers,

Steve Houseman

--

currently steve.houseman at virgin net

Thomas Gagne

unread,
Dec 7, 2000, 10:28:49 AM12/7/00
to
The strace shows pid 7517 (in my case) shortly after opening
/lib/security/pam_rhosts_auth.so, then checks /root/.rhosts, and then calls
syslog to report:

pam_rhosts_auth[7517]: denied to ro...@tgagne.home.lan as root: access not
allowed

The contents of /root/.rhosts:
+
tgagne
tgagne.home.lan
192.168.1.101

Maybe there's a new file format for .rhosts? I've tried it with and without
permissions == 600.

Also, it appears that rsh seems dependent on /etc/pam.d/rlogin -- at least
according to the strace.

--
.tom

Joe Schaefer

unread,
Dec 7, 2000, 12:03:49 PM12/7/00
to
Thomas Gagne <tga...@ix.netcom.com> writes:

Perhaps the securetty in pam.d/rlogin is preventing root rsh (I doubt it, but
not knowing what you pam setup looks like, it's entirely possible). You
could test this by trying non-root users on each machine. It may also be your
.rhost file format is wrong, but since I ripped out rsh, rlogin and its r*
friends a while ago, my man pages don't document .rlogin file formats any more.

More to the point - why are you using rsh with .rhosts authentication? You
could accomplish the same thing with ssh with approriate keys added (not
quite sure how the details work, since that's not what I'd do), or you
could set up kerberos and use a .k5login file (might be difficult for
automated rdists). Either would be far superior to the vanilla rsh setup
you appear to be using.

--
Joe Schaefer

Thomas Gagne

unread,
Dec 7, 2000, 11:24:17 AM12/7/00
to
Hmm.

It seemed only after I had modified /etc/pam.d/rlogin to add the argument
"promiscuous" to the "pam_rhosts_auth" line that my /root/.rhosts w/ the
single entry "+" worked. As I started backing out changes I was able to put
everything back to where it was, except that /root/.rhosts was created, 600,
with the single entry of the machine I was rsh'ing from (just the hostname, no
domain info).

It was very helpful to load the sourcecode for PAM from the RH6.2 CD so I
could read the README and browse the source code.

--
.tom

Marble Head

unread,
Dec 7, 2000, 12:40:34 PM12/7/00
to
Thomas Gagne <tga...@ix.netcom.com> wrote in
<3A2EB0A2...@ix.netcom.com>:


Here's a question:
Are you able to rsh as anybody other than root?

Tim Haynes

unread,
Dec 7, 2000, 12:47:36 PM12/7/00
to
nob...@nowhere.com (Marble Head) writes:

[snip]


> >The login file did allow me to telnet to qa and login in as root, but it
> >did not permit unfettered access for rsh.
> >
> >Does anyone know how this feature can be enabled then disabled again?
> >We only want to permit it so we can run the rdist command.
>
> Here's a question:
> Are you able to rsh as anybody other than root?

OK, while I'm passing by, there used to be a couple of parameters you had
to stick on the end of the in.rshd line (or whatever it is) in inetd.conf
to enable rsh as root (d'oh, bad idea alert, use ssh, yadda).

I can't remember what they were, but look into `-h', `-i', or `-n'.

Disclaimer: I could be talking balls as normal, too.

~Tim
--
Triggered to power, wired to pain, | pig...@glutinous.custard.org
Direct-inject pleasure when the going gets tough| http://piglet.is.dreaming.org

ch...@pcscs.com

unread,
Dec 11, 2000, 4:50:58 AM12/11/00
to
if you go into /etc/pam.d/rlogin

make sure that the rhost authentication library (pam_rhosts_auth) is
first at the top of the list

if your .rhosts entry is correct, you will be able to rlogin or rsh -l
even as root

0 new messages