FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-07-2008, 06:53 PM
MHR
 
Default rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")

Okay, I've narrowed the problem down quite a bit. As previously
reported, in CentOS 5.2 I get this:

$ cvs log Makefile
poll: protocol failure in circuit setup
cvs [log aborted]: end of file from server (consult above messages if any)

Turns out this is a problem with rsh:

$ rsh khan ls
connect to address 10.24.15.48 port 544: Connection refused
Trying krb4 rsh...
connect to address 10.24.15.48 port 544: Connection refused
trying normal rsh (/usr/bin/rsh)
poll: protocol failure in circuit setup

Now, if I just reomtely login to khan (our cvs server), I get this:

[mrichter@sushi ~]$ khan
connect to address 10.24.15.48 port 543: Connection refused
Trying krb4 rlogin...
connect to address 10.24.15.48 port 543: Connection refused
trying normal rlogin (/usr/bin/rlogin)
Last login: Fri Jul 4 18:19:01 from viper
[mrichter@khan mrichter]$

Voila - I'm logged in.

Also, if I try an rsh from another machine (viper - FC1), I get this:

[mrichter@viper mrichter]$ rsh khan ls
connect to address 10.24.15.48: Connection refused
Trying krb4 rsh...
connect to address 10.24.15.48: Connection refused
trying normal rsh (/usr/bin/rsh)
Desktop
Documents
Download
Music
Pictures
Public
Templates
Videos
bin
lane608
rls_607
temp.xml


So, what is it about rsh from CentOS 5.2 such that the kerberos
certification destroys its chances of success? Alternative question:
what do I need to tweak to make this work?

Thanks.

mhr

PS: Google has lots of wrong answers on this, mostly really old and of
no use at all.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-07-2008, 07:04 PM
"Stephen John Smoogen"
 
Default rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")

On Mon, Jul 7, 2008 at 12:53 PM, MHR <mhullrich@gmail.com> wrote:
> Okay, I've narrowed the problem down quite a bit. As previously
> reported, in CentOS 5.2 I get this:
>

Well whyis port 544 and 543 getting connection refused in the logs on
the server? Are you using kerberos? Are the tickets you getting
forwardable?

> $ cvs log Makefile
> poll: protocol failure in circuit setup
> cvs [log aborted]: end of file from server (consult above messages if any)
>
> Turns out this is a problem with rsh:
>
> $ rsh khan ls
> connect to address 10.24.15.48 port 544: Connection refused
> Trying krb4 rsh...
> connect to address 10.24.15.48 port 544: Connection refused
> trying normal rsh (/usr/bin/rsh)
> poll: protocol failure in circuit setup
>
> Now, if I just reomtely login to khan (our cvs server), I get this:
>
> [mrichter@sushi ~]$ khan
> connect to address 10.24.15.48 port 543: Connection refused
> Trying krb4 rlogin...
> connect to address 10.24.15.48 port 543: Connection refused
> trying normal rlogin (/usr/bin/rlogin)
> Last login: Fri Jul 4 18:19:01 from viper
> [mrichter@khan mrichter]$
>
> Voila - I'm logged in.
>
> Also, if I try an rsh from another machine (viper - FC1), I get this:
>
> [mrichter@viper mrichter]$ rsh khan ls
> connect to address 10.24.15.48: Connection refused
> Trying krb4 rsh...
> connect to address 10.24.15.48: Connection refused
> trying normal rsh (/usr/bin/rsh)
> Desktop
> Documents
> Download
> Music
> Pictures
> Public
> Templates
> Videos
> bin
> lane608
> rls_607
> temp.xml
>
>
> So, what is it about rsh from CentOS 5.2 such that the kerberos
> certification destroys its chances of success? Alternative question:
> what do I need to tweak to make this work?
>
> Thanks.
>
> mhr
>
> PS: Google has lots of wrong answers on this, mostly really old and of
> no use at all.
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-07-2008, 07:13 PM
Stephen Harris
 
Default rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")

On Mon, Jul 07, 2008 at 11:53:42AM -0700, MHR wrote:

> $ rsh khan ls
> connect to address 10.24.15.48 port 544: Connection refused
> Trying krb4 rsh...
> connect to address 10.24.15.48 port 544: Connection refused
> trying normal rsh (/usr/bin/rsh)
> poll: protocol failure in circuit setup

This version of rsh is probably /usr/kerberos/bin/rsh (use "type rsh"
or "which rsh" to verify). Try using /usr/bin/rsh instead.

(the krb5-workstation package sets this early on your PATH in /etc/profile.d/)

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-07-2008, 08:45 PM
MHR
 
Default rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")

On Mon, Jul 7, 2008 at 12:13 PM, Stephen Harris <lists@spuddy.org> wrote:
> On Mon, Jul 07, 2008 at 11:53:42AM -0700, MHR wrote:
>
> This version of rsh is probably /usr/kerberos/bin/rsh (use "type rsh"
> or "which rsh" to verify). Try using /usr/bin/rsh instead.
>
> (the krb5-workstation package sets this early on your PATH in /etc/profile.d/)
>

I wondered about that. So, per your suggestion, I modified the way my
path gets set up, and here's what happened:

[mrichter@sushi lane]$ cvs diff Makefile
poll: protocol failure in circuit setup
cvs [diff aborted]: end of file from server (consult above messages if any)

[mrichter@sushi lane]$ rsh khan ls
poll: protocol failure in circuit setup

[mrichter@sushi lane]$ which rsh
~/bin/rsh

[mrichter@sushi lane]$ ls -l ~/bin/rsh
lrwxrwxrwx 1 mrichter RnD 12 Jul 7 13:14 /home/mrichter/bin/rsh ->
/usr/bin/rsh*

FYI:

[mrichter@sushi ~]$ echo $PATH
::/home/mrichter/bin:/usr/lib/qt-3.3/bin:/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/sbin:/usr/sbin:/usr/local/sbin:/other/mhr

[mrichter@sushi ~]$


Apparently, it is a problem with /usr/bin/rsh itself....

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-07-2008, 08:59 PM
Stephen Harris
 
Default rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")

On Mon, Jul 07, 2008 at 01:45:25PM -0700, MHR wrote:

> [mrichter@sushi lane]$ rsh khan ls
> poll: protocol failure in circuit setup

Are you sure there are no firewalls in place that could be blocking access?
Note that "rsh machine" really calls "rlogin machine" and so talks on
a different port (port 513) whereas "rsh machine command" uses port 514.

You should tcpdump the traffic while trying to do an rsh to see what is
going on.

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-07-2008, 10:21 PM
MHR
 
Default rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")

On Mon, Jul 7, 2008 at 1:59 PM, Stephen Harris <lists@spuddy.org> wrote:
> On Mon, Jul 07, 2008 at 01:45:25PM -0700, MHR wrote:
>
> Are you sure there are no firewalls in place that could be blocking access?
> Note that "rsh machine" really calls "rlogin machine" and so talks on
> a different port (port 513) whereas "rsh machine command" uses port 514.
>
> You should tcpdump the traffic while trying to do an rsh to see what is
> going on.
>

That helps some - I got a lot of data (duh), but the key piece, I
think, was this:

15:06:00.480483 IP sushi.ocroads.com.1023 > khan.sjhtca.com.shell: .
ack 1 win 46 <nop,nop,timestamp 348358235 81958271>
15:06:00.480735 IP sushi.ocroads.com.1023 > khan.sjhtca.com.shell: P
1:6(5) ack 1 win 46 <nop,nop,timestamp 348358235 81958271>
15:06:00.480942 IP khan.sjhtca.com.shell > sushi.ocroads.com.1023: .
ack 6 win 5792 <nop,nop,timestamp 81958271 348358235>
15:06:00.481938 IP khan.sjhtca.com.33409 > sushi.ocroads.com.auth: S
3105739037:3105739037(0) win 5840 <mss 1460,sackOK,timestamp 81958271
0,nop,wscale 0>
15:06:00.481969 IP sushi.ocroads.com > khan.sjhtca.com: ICMP host
sushi.ocroads.com unreachable - admin prohibited, length 68
15:06:00.485455 IP khan.sjhtca.com.1023 > sushi.ocroads.com.1022: S
3115029742:3115029742(0) win 5840 <mss 1460,sackOK,timestamp 81958271
0,nop,wscale 0>
15:06:00.485527 IP sushi.ocroads.com > khan.sjhtca.com: ICMP host
sushi.ocroads.com unreachable - admin prohibited, length 68

If I start from khan, I get this:

[mrichter@khan mrichter]$ rsh sushi ls
sushi: No route to host
[mrichter@khan mrichter]$ rsh sushi
sushi: No route to host

What's strange (to me) about this is that I can ping and ssh to sushi
from khan, and the resolv.conf on khan contains the line "search
ocroads.com" which is where sushi is located (sushi =
sushi.ocroads.com, khan = khan.sjhtca.com), so I'm not clear on what
/else/ needs to be set for this to work.

???

Thanks to all so far....

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-07-2008, 10:28 PM
MHR
 
Default rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")

On Mon, Jul 7, 2008 at 3:04 PM, William L. Maltby
<CentOS4Bill@triad.rr.com> wrote:
>
> I figure you've probably checked this already, but is rcpwrappers
> installed?

No, not on either system (what is rcpwrappers?).

> If so, are hosts.deny and hosts.allow setup good? I suspect
> so - I think I saw you had some kind of successful connect earlier in
> the thread.
>
They're fine. In fact, sushi is in khan's /etc/hosts file explicitly,
and khan thinks it's on ocroads.com:

[mrichter@khan mrichter]$ hostname -f
khan.ocroads.com

> Have you run with the -d parameter?
>

Nothing new (actually, nothing at all).

?!?

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-07-2008, 10:31 PM
Stephen Harris
 
Default rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")

On Mon, Jul 07, 2008 at 03:28:00PM -0700, MHR wrote:
> On Mon, Jul 7, 2008 at 3:04 PM, William L. Maltby

> > If so, are hosts.deny and hosts.allow setup good? I suspect

> They're fine. In fact, sushi is in khan's /etc/hosts file explicitly,
> and khan thinks it's on ocroads.com:

hosts.allow and hosts.deny are _different_ to /etc/hosts; they specify
what machines are allowed to connect to what services. It's possible
the remote server is denying access to the machine.

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-07-2008, 10:33 PM
Stephen Harris
 
Default rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")

On Mon, Jul 07, 2008 at 03:21:04PM -0700, MHR wrote:
>
> What's strange (to me) about this is that I can ping and ssh to sushi

*grin* switch to using ssh for your CVS connections then and bypass the
whole issue. rsh is insecure, anyway!

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-07-2008, 11:00 PM
MHR
 
Default rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")

On Mon, Jul 7, 2008 at 3:33 PM, Stephen Harris <lists@spuddy.org> wrote:
> On Mon, Jul 07, 2008 at 03:21:04PM -0700, MHR wrote:
>>
>> What's strange (to me) about this is that I can ping and ssh to sushi
>
> *grin* switch to using ssh for your CVS connections then and bypass the
> whole issue. rsh is insecure, anyway!
>

Yeah, but there are problems with that approach. I routinely do mass
cvs commands in loops, like showing all differences between my files
and the repo files, and if there are a lot of them, I don't want to
have to input my password 100+ times....

It works, BTW, but it's not a great solution.

Thanks.

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org