rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")
On Mon, Jul 7, 2008 at 11:53 AM, MHR <mhullrich@gmail.com> wrote:
> Okay, I've narrowed the problem down quite a bit. As previously
> reported, in CentOS 5.2 I get this:
>
> $ cvs log Makefile
> poll: protocol failure in circuit setup
> cvs [log aborted]: end of file from server (consult above messages if any)
>
> Turns out this is a problem with rsh:
>
> $ rsh khan ls
> connect to address 10.24.15.48 port 544: Connection refused
> Trying krb4 rsh...
> connect to address 10.24.15.48 port 544: Connection refused
> trying normal rsh (/usr/bin/rsh)
> poll: protocol failure in circuit setup
>
> Now, if I just reomtely login to khan (our cvs server), I get this:
>
> [mrichter@sushi ~]$ khan
> connect to address 10.24.15.48 port 543: Connection refused
> Trying krb4 rlogin...
> connect to address 10.24.15.48 port 543: Connection refused
> trying normal rlogin (/usr/bin/rlogin)
> Last login: Fri Jul 4 18:19:01 from viper
> [mrichter@khan mrichter]$
>
> Voila - I'm logged in.
>
> Also, if I try an rsh from another machine (viper - FC1), I get this:
>
> [mrichter@viper mrichter]$ rsh khan ls
> connect to address 10.24.15.48: Connection refused
> Trying krb4 rsh...
> connect to address 10.24.15.48: Connection refused
> trying normal rsh (/usr/bin/rsh)
> Desktop
> Documents
> Download
> Music
> Pictures
> Public
> Templates
> Videos
> bin
> lane608
> rls_607
> temp.xml
>
>
> So, what is it about rsh from CentOS 5.2 such that the kerberos
> certification destroys its chances of success? Alternative question:
> what do I need to tweak to make this work?
>
Narrowed it down a bit further: I can rsh to khan directly with no
command, but if I add a command, that's when the rsh fails:
[mrichter@sushi lane]$ khan
connect to address 10.24.15.48 port 543: Connection refused
Trying krb4 rlogin...
connect to address 10.24.15.48 port 543: Connection refused
trying normal rlogin (/usr/bin/rlogin)
Last login: Mon Jul 7 11:59:59 from sushi
[mrichter@khan mrichter]$ ls
bin/ Documents/ lane608/ Pictures/ rls_607/ temp.xml
Desktop/ Download/ Music@ Public/ Templates/ Videos/
[mrichter@khan mrichter]$ exit
rlogin: connection closed.
[mrichter@sushi lane]$ rsh khan ls
connect to address 10.24.15.48 port 544: Connection refused
Trying krb4 rsh...
connect to address 10.24.15.48 port 544: Connection refused
trying normal rsh (/usr/bin/rsh)
poll: protocol failure in circuit setup
[mrichter@sushi lane]$
Sushi is my CentOS 5.2 machine, khan is our CVS server running:
[mrichter@khan mrichter]$ lsb_release -a
LSB Version: 1.3
Distributor ID: RedHatEnterpriseAS
Description: Red Hat Enterprise Linux AS release 3 (Taroon Update 2)
Release: 3
Codename: TaroonUpdate2
Any ideas?
mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
07-07-2008, 10:04 PM
"William L. Maltby"
rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")
On Mon, 2008-07-07 at 16:59 -0400, Stephen Harris wrote:
> On Mon, Jul 07, 2008 at 01:45:25PM -0700, MHR wrote:
>
> > [mrichter@sushi lane]$ rsh khan ls
> > poll: protocol failure in circuit setup
>
> Are you sure there are no firewalls in place that could be blocking access?
> Note that "rsh machine" really calls "rlogin machine" and so talks on
> a different port (port 513) whereas "rsh machine command" uses port 514.
>
> You should tcpdump the traffic while trying to do an rsh to see what is
> going on.
I figure you've probably checked this already, but is rcpwrappers
installed? If so, are hosts.deny and hosts.allow setup good? I suspect
so - I think I saw you had some kind of successful connect earlier in
the thread.
Have you run with the -d parameter?
HTH
--
Bill
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
07-07-2008, 10:48 PM
Scott Silva
rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")
on 7-7-2008 3:28 PM MHR spake the following:
On Mon, Jul 7, 2008 at 3:04 PM, William L. Maltby
<CentOS4Bill@triad.rr.com> wrote:
I figure you've probably checked this already, but is rcpwrappers
installed?
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
07-07-2008, 11:08 PM
"William L. Maltby"
rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")
On Mon, 2008-07-07 at 15:28 -0700, MHR wrote:
> On Mon, Jul 7, 2008 at 3:04 PM, William L. Maltby
> <CentOS4Bill@triad.rr.com> wrote:
> >
> > I figure you've probably checked this already, but is rcpwrappers
> > installed?
>
> No, not on either system (what is rcpwrappers?).
A typoed tcpwrappers <*blush*>. I'm sorry for that.
>
> > If so, are hosts.deny and hosts.allow setup good? I suspect
> > so - I think I saw you had some kind of successful connect earlier in
> > the thread.
> >
> They're fine. In fact, sushi is in khan's /etc/hosts file explicitly,
> and khan thinks it's on ocroads.com:
That file is not related to tcpwrappers. The /etc/hosts.{allow,deny} are
effective if tcpwrappers is in use.
# rpm -q tcp_wrappers
tcp_wrappers-7.6-40.4.el5
IIRC, this is usually installed by default? It's almost become a
mandatory for increased security.
But as I mentioned, I'm not sure this is needed or in use since you did
have some kind of good connection.
JIC
-----------------------------------------------------
# rpm -q --info tcp_wrappers
<snip>
Summary : A security tool which acts as a wrapper for TCP daemons.
Description :
The tcp_wrappers package provides small daemon programs which can
monitor and filter incoming requests for systat, finger, FTP, telnet,
rlogin, rsh, exec, tftp, talk and other network services.
Install the tcp_wrappers program if you need a security tool for
filtering incoming network services requests.
-----------------------------------------------------
Also, check out "man portmap" and "man rpcdebug". I don't know if
they'll help.
Oh! IJR, do this thing after running makewhatis as root.
$ man -k rpc
<snip useless stuff>
portmap (8) - DARPA port to RPC program number mapper
portmap (rpm) - A program which manages RPC connections.
rpc (3) - library routines for remote procedure calls
rpc (5) - rpc program number data base
rpc.gssd [gssd] (8) - rpcsec_gss daemon
rpc.idmapd [idmapd] (8) - NFSv4 ID <-> Name Mapper
rpc.lockd [lockd] (8) - start kernel lockd process
rpc.mountd [mountd] (8) - NFS mount daemon
rpc.nfsd [nfsd] (8) - NFS server process
rpc.rquotad [rquotad] (8) - remote quota server
rpc.statd [statd] (8) - NSM status monitor
rpc.svcgssd [svcgssd] (8) - server-side rpcsec_gss daemon
rpcdebug (8) - set and clear NFS and RPC kernel debug flags
rpcinfo (8) - report RPC information
I can't recall if your problem is one of those "worked on 5.1 but
now..." problems. If so, maybe the prior had tcpwrappers setup and now
you don't?
>
> [mrichter@khan mrichter]$ hostname -f
> khan.ocroads.com
>
> > Have you run with the -d parameter?
> >
>
> Nothing new (actually, nothing at all).
>
> ?!?
>
> mhr
> <snip sig stuff>
BTW, IUC, there are several points at which connection can be refused.
Service not running, firewall, tcpwrappers, ... that general purpose
daemon that dispatches programs for remote requests like ftp, that I
can't remember the name of ATM.
HTH
--
Bill
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
rsh problems in CentOS 5.2 (was "cvs command failure on 5.2")
