FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 06-24-2008, 05:10 AM
"bruce"
 
Default rsh issue (access denied)...

hi...

i've got an "access denied" issue with rsh on one of my boxes (and before we
start, no use ssh comments.. rsh is what i'm dealing with for now!!)

i've got a few boxes in my network, and i can successfully rsh into them
with no issue. however, on one box, i can't access it using rsh, and i'm
running out of things to try... kind of curious.

i can login using rlogin.

i've modifed the /etc/pam.d/rsh,rlogin files, along with the /etc/securetty
file. as far as i can tell, nothing else has been changed...

the curious thing. as far as i can tell... the files on the system that
doesn't work, are the same as the files on the systems that are allowing rsh
to occur...

the err i'm getting in the /var/log/secure is:
Jun 23 22:16:09 lserver5 userhelper[2186]:
pam_timestamp(system-config-services:session): updated timestamp file
`/var/run/sudo/root/unknown'
Jun 23 22:16:09 lserver5 userhelper[2189]: running
'/usr/sbin/system-config-services' with root privileges on behalf of 'root'
Jun 23 22:16:28 lserver5 xinetd[2227]: START: shell pid=2239
from=192.168.1.45
Jun 23 22:16:28 lserver5 rshd[2239]: pam_rhosts_auth(rsh:auth): denied to
root@192.168.1.45 as test1: access not allowed
Jun 23 22:16:28 lserver5 rshd[2239]: pam_unix(rsh:session): session opened
for user test1 by (uid=0)
Jun 23 22:16:28 lserver5 rshd[2239]: pam_unix(rsh:session): session closed
for user test1
[

etc/pam.d/rsh
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rsh" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth sufficient pam_rhosts_auth.so promiscuous
auth required pam_securetty.so
auth required pam_env.so
account include system-auth
session include system-auth

etc/pam.d/rlogin
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rlogin" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth sufficient pam_rhosts_auth.so promiscuous
auth required pam_securetty.so
auth required pam_env.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth

/etc/securetty
rsh
rlogin
rlogind
console
vc/1
vc/2
vc/3
vc/4
vc/5
.
.
.


so... any thoughts/comments/things to check would be greatly appreciated....

thanks



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-24-2008, 08:47 AM
Alexander Apprich
 
Default rsh issue (access denied)...

Hi Bruce,

just a wild guess...

check /etc/xinetd.d/rsh and /etc/xinetd.d/rlogin if they contain
disabele = yes
if so, change it to
disable = no
and restart xinetd

Hth

Alex
--
Alexander Apprich science + computing ag
Senior System Engineer Hagellocher Weg 71-75
phone +49(0)7071 9457-291 D-72070 Tuebingen, Germany
fax +49(0)7071 9457-211 www.science-computing.de

s+c certificates via http://www.science-computing.de/cacert.crt
--
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Dr. Florian Geyer,
Dr. Roland Niemeier, Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Prof. Dr. Hanns Ruder
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-24-2008, 02:05 PM
"bruce"
 
Default rsh issue (access denied)...

Hi Alexander...

Thanks for the reply... I'd already changed the /etc/xinetd.d/rsh,rlogin, files but forgot to list them. The files as they exist are:


/etc/xinetd.d/rexec::
# description: Rexecd is the server for the rexec(3) routine. The server
# provides remote execution facilities with authentication based
# on user names and passwords.
service exec
{
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rexecd
disable = no
}


/etc/xinetd.d/rsh::
# default: on
# description: The rshd server is the server for the rcmd(3) routine and,
# consequently, for the rsh(1) program. The server provides
# remote execution facilities with authentication based on
# privileged port numbers from trusted hosts.
service shell
{
disable = no
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rshd
}


/etc/xinetd.d/rlogin::
# default: on
# description: rlogind is the server for the rlogin(1) program. The server
# provides a remote login facility with authentication based on
# privileged port numbers from trusted hosts.
service login
{
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rlogind
disable = no
}


-----Original Message-----
From: fedora-list-bounces@redhat.com
[mailto:fedora-list-bounces@redhat.com]On Behalf Of Alexander Apprich
Sent: Tuesday, June 24, 2008 1:48 AM
To: For users of Fedora
Subject: Re: rsh issue (access denied)...


Hi Bruce,

just a wild guess...

check /etc/xinetd.d/rsh and /etc/xinetd.d/rlogin if they contain
disabele = yes
if so, change it to
disable = no
and restart xinetd

Hth

Alex
--
Alexander Apprich science + computing ag
Senior System Engineer Hagellocher Weg 71-75
phone +49(0)7071 9457-291 D-72070 Tuebingen, Germany
fax +49(0)7071 9457-211 www.science-computing.de

s+c certificates via http://www.science-computing.de/cacert.crt
--
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Dr. Florian Geyer,
Dr. Roland Niemeier, Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Prof. Dr. Hanns Ruder
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-24-2008, 08:59 PM
gerrynix
 
Default rsh issue (access denied)...

> Hi Alexander...
>
> Thanks for the reply... I'd already changed the
> /etc/xinetd.d/rsh,rlogin, files but forgot to list them.
> The files as they exist are:
>
>
> /etc/xinetd.d/rexec::
> # description: Rexecd is the server for the rexec(3)
> routine. The server
> # provides remote execution facilities with
> authentication based
> # on user names and passwords.
> service exec
> {
> socket_type = stream
> wait = no
> user = root
> log_on_success += USERID
> log_on_failure += USERID
> server = /usr/sbin/in.rexecd
> disable = no
> }
>
>
> /etc/xinetd.d/rsh::
> # default: on
> # description: The rshd server is the server for the
> rcmd(3) routine and,
> # consequently, for the rsh(1) program. The server
> provides
> # remote execution facilities with authentication
> based on
> # privileged port numbers from trusted hosts.
> service shell
> {
> disable = no
> socket_type = stream
> wait = no
> user = root
> log_on_success += USERID
> log_on_failure += USERID
> server = /usr/sbin/in.rshd
> }
>
>
> /etc/xinetd.d/rlogin::
> # default: on
> # description: rlogind is the server for the rlogin(1)
> program. The server
> # provides a remote login facility with
> authentication based on
> # privileged port numbers from trusted hosts.
> service login
> {
> socket_type = stream
> wait = no
> user = root
> log_on_success += USERID
> log_on_failure += USERID
> server = /usr/sbin/in.rlogind
> disable = no
> }
>
>
> -----Original Message-----
> From: fedora-list-bounces@redhat.com
> [mailto:fedora-list-bounces@redhat.com]On Behalf Of
> Alexander Apprich
> Sent: Tuesday, June 24, 2008 1:48 AM
> To: For users of Fedora
> Subject: Re: rsh issue (access denied)...
>
>
> Hi Bruce,
>
> just a wild guess...
>
> check /etc/xinetd.d/rsh and /etc/xinetd.d/rlogin if they
> contain
> disabele = yes
> if so, change it to
> disable = no
> and restart xinetd
>
Try a:
# chkconfig --list | less
and confirm that the services you require are "on." If not, use chkconfig (man pages) to turn them on (reboot may be required, if you don't know how to start the daemons manually). However, if they are already marked as "on", then there are likely configuration problems in /etc/hosts.equiv or .rhosts (whichever you are using) on the machine running the daemons. Both files should have man pages outlining syntax.
--
Nix

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-25-2008, 01:26 AM
Cameron Simpson
 
Default rsh issue (access denied)...

On 24Jun2008 13:59, gerrynix <gerrynix@yahoo.com> wrote:
| Try a:
| # chkconfig --list | less
| and confirm that the services you require are "on." [...]

We know from the syslog lines that the service is "on" because there is
a PAM auth error message for rsh. "netstat -an | grep LISTEN" should
show the service being available, too. Port number 514, I think.

I'd check the PAM authentication configuration.
--
Cameron Simpson <cs@zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

It is seldom that liberty of any kind is lost all at once. - Hume

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-25-2008, 06:03 AM
Alexander Apprich
 
Default rsh issue (access denied)...

I discovered differences between you /etc/pam.d/rsh|rlogin
could you backup your files and replace them with the following
lines?

apprich@elmstreet pam.d $ cat rsh
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rsh" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth required pam_rhosts_auth.so
account include system-auth
session optional pam_keyinit.so force revoke
session include system-auth



apprich@elmstreet pam.d $ cat rlogin
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rlogin" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_rhosts_auth.so
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth


I'm wondering why this is different on your system, as rah
worked like out-of-the-box here by just enabling rsh/rlogin
in /etc/xinetd.d and restarting xinetd

Alex
--
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Dr. Florian Geyer,
Dr. Roland Niemeier, Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Prof. Dr. Hanns Ruder
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-25-2008, 12:03 PM
"bruce"
 
Default rsh issue (access denied)...

hi guys!!

once again, gotta say thanks to the group on the list/net! the rsh issue was/is solved. it appears that the access denied issue was due to the user's "home" directory, not being owned by the "user" which led to some internal permission issues on the rsh server box:

do when i did a "rsh -l test foo 'ls'",
this would attempt to login as the user "test" on the "foo" server, and to do an "ls" of the home dir for "test" user on the "foo" server. in this instance, the permissions issue caused an access denied. correcting the owner/group for the "/home/test" solved the issue. there was no need to make any changes, and in fact, no need to have any local ".rhosts" file...

a little tricky issue.. but hopefully, this might help someone in the future in trying to diagnose their issues..

thanks again!!



-----Original Message-----
From: fedora-list-bounces@redhat.com
[mailto:fedora-list-bounces@redhat.com]On Behalf Of Alexander Apprich
Sent: Tuesday, June 24, 2008 11:03 PM
To: For users of Fedora
Subject: Re: rsh issue (access denied)...


I discovered differences between you /etc/pam.d/rsh|rlogin
could you backup your files and replace them with the following
lines?

apprich@elmstreet pam.d $ cat rsh
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rsh" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth required pam_rhosts_auth.so
account include system-auth
session optional pam_keyinit.so force revoke
session include system-auth



apprich@elmstreet pam.d $ cat rlogin
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rlogin" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_rhosts_auth.so
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth


I'm wondering why this is different on your system, as rah
worked like out-of-the-box here by just enabling rsh/rlogin
in /etc/xinetd.d and restarting xinetd

Alex
--
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Dr. Florian Geyer,
Dr. Roland Niemeier, Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Prof. Dr. Hanns Ruder
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 04:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org