+++ This bug was initially created as a clone of Bug #174146 +++ From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Description of problem: We need to restrict rexec access by IP/hostname. But the combo of pam_access and rexec does not work together for this purpose. The following are the conf files: # cat /etc/pam.d/rexec #%PAM-1.0 # For root login to succeed here with pam_securetty, "rexec" must be # listed in /etc/securetty. auth required pam_nologin.so auth required pam_securetty.so auth required pam_env.so auth required pam_stack.so service=system-auth account required pam_access.so accessfile=/etc/pam.d/rexec.access account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth # cat /etc/pam.d/rexec.access +:user1:testhost1 -:ALL:ALL Version-Release number of selected component (if applicable): pam-0.75-62, rsh-server-0.17-17 How reproducible: Always Steps to Reproduce: 1. From 'testhost1' server, type command: rexec -ad -l user1 -p user1_password rexecd_server_name '/bin/touch /tmp/testing1.txt' 2. The above will fail every time, file '/var/log/message' would show that pam_access says that "access denied for user `user1' from `rexec'" 3. But if I change the file '/etc/pam.d/rexec.access' to be: +:user1:rexec -:ALL:ALL Or if I change the file to be: +:user1:ALL -:ALL:ALL Then the rexec will always suceed. Actual Results: rexec: Host = rexecd_server_name rexec: Command to execute = /bin/touch /tmp/testing1.txt testinghost1: No such file or directory rexec: Error in rexec system call, rexec: (The following system error may itself be in error) rexec: No such file or directory Expected Results: /tmp/testing1.txt should have been created in server 'rexecd_server_name' Additional info: I also tested this pam/rsh-server combo for RHEL ES3U6 (as the rexecd_server), it also failed in the same way. It seems rexec could not work well with pam_access.so. -- Additional comment from tmraz on 2005-11-25 07:32 EST -- This is clearly a problem in rexec not pam_access. -- Additional comment from hxwu on 2005-11-25 15:34 EST -- Here are more information from /var/log/messages in rexecd server: Nov 25 14:01:25 rexecd_server_name /usr/sbin/in.rexecd[20200]: connect from testhost1 Nov 25 14:01:25 rexecd_server_name pam_access[20200]: access denied for user `asrc' from `rexec' The messages indicates that in.rexecd knows that the connection came from 'testhost1', but pam_access doesn't know the source of the connection, it just knew it came from 'rexec'. Not sure if this would be helpful. -- Additional comment from kzak on 2005-11-28 09:14 EST -- You're right. It doesn't set pam_set_item(pamh, PAM_RHOST, host);
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0361.html