Bug 174146
Summary: | RHEL3: pam_access.so does not work with rexec for IP/hostname restriction | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Hai Wu <hxwu> |
Component: | rsh | Assignee: | Karel Zak <kzak> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.0 | CC: | tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2006-0231 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-03-29 20:55:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 178252, 187539 |
Description
Hai Wu
2005-11-25 04:38:12 UTC
This is clearly a problem in rexec not pam_access. Here are more information from /var/log/messages in rexecd server: Nov 25 14:01:25 rexecd_server_name /usr/sbin/in.rexecd[20200]: connect from testhost1 Nov 25 14:01:25 rexecd_server_name pam_access[20200]: access denied for user `asrc' from `rexec' The messages indicates that in.rexecd knows that the connection came from 'testhost1', but pam_access doesn't know the source of the connection, it just knew it came from 'rexec'. Not sure if this would be helpful. You're right. It doesn't set pam_set_item(pamh, PAM_RHOST, host); We have a few RedHat Enterprise Linux servers (with subscriptions) here, waiting for this bug to be fixed shortly. Otherwise, we are seriously considering that we might have to use Windows servers to replace these Linux boxes, since we have a tight project schedule. Is it possible for you to have it fix soon? Thanks. Well, then please could you use your paid subscription support issue tracker to report the bug. It would raise the chances that it will be fixed soon. Please mention this bug number in the tracker entry. The problem has been fixed in FC4 and FC5. That's a good news for us! It seems to me that FC4 and FC5 are only for 2.6 kernel. I hope RedHat could backport this fix to RHEL 3(2.4 kernel). I also requested Dell support to upgrade this case to RedHat, since we bought RedHat subscription through Dell. Thanks, Hai It's definitely the rsh package problem only. There's no problem in kernel. I just tried it, but it is not working in my case. I downloaded this Fedora package at http://download.fedora.redhat.com/pub/fedora/linux/core/development/i386/SRPMS/rsh-0.17-32.src.rpm, compiled and installed on RHEL ES 3 Update 6, then I used the old /etc/pam.d/rexec file (I am not sure if I can use the new /etc/pam.d/rexec that comes with rsh-server package, since it has new PAM syntax). The testing results are the same as before, still not working. Does it mean this new version would only work with the new PAM version in FC4 & FC5? Thanks, Hai, you need to recompile and test the latest version: rsh-0.17-33 (FC5/development) or rsh-0.17-29.1 (FC4). I fixed it yesterday, so it's possible that it isn't on all Fedora mirrors yet. You have to use old /etc/pam.d/rexec (or I think that in FC4 is old version of PAM syntax too). Thanks! I tested the source RPM package of rsh-0.17-29.1 on RHEL3U6, and it works! I have to use the source RPM since the binary one complains about some libc dependency on RHEL3. Now it is a matter of time for this package to be formally ported to RHEL3. Thanks! Hai From User-Agent: XML-RPC Refer to bug#174146 for details on this case. Karel Zak (kzak) has been working on this problem with the customer. The problem has been identified to be in the rsh code which has been fixed in FC4 and FC5. Customer has recompiled and tested rsh-0.17-29.1 on RHEL3U6 and it fixes his problem. They are requesting RH to backport this fix into RHEL3 and release this fix to provide a supported solution. SEG, Please escalate to engineering. Issue escalated to Support Engineering Group by: sbenjamin. sbenjamin assigned to issue for Dell Bugzilla id 174146 added to issue. Category set to: Services Internal Status set to 'Waiting on SEG' Status set to: Waiting on Tech This event sent from IssueTracker by sbenjamin issue 83956 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0231.html |