Red Hat Bugzilla – Bug 174362
RHEL4: pam_access.so does not work with rexec for IP/hostname restriction
Last modified: 2007-11-30 17:07:21 EST
+++ This bug was initially created as a clone of Bug #174146 +++
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12)
Description of problem:
We need to restrict rexec access by IP/hostname. But the combo of pam_access and
rexec does not work together for this purpose.
The following are the conf files:
# cat /etc/pam.d/rexec
# For root login to succeed here with pam_securetty, "rexec" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth required pam_stack.so service=system-auth
account required pam_access.so accessfile=/etc/pam.d/rexec.access
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
# cat /etc/pam.d/rexec.access
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. From 'testhost1' server, type command: rexec -ad -l user1 -p user1_password
rexecd_server_name '/bin/touch /tmp/testing1.txt'
2. The above will fail every time, file '/var/log/message' would show that
pam_access says that "access denied for user `user1' from `rexec'"
3. But if I change the file '/etc/pam.d/rexec.access' to be:
Or if I change the file to be:
Then the rexec will always suceed.
Actual Results: rexec: Host = rexecd_server_name
rexec: Command to execute = /bin/touch /tmp/testing1.txt
testinghost1: No such file or directory
rexec: Error in rexec system call,
rexec: (The following system error may itself be in error)
rexec: No such file or directory
Expected Results: /tmp/testing1.txt should have been created in server
I also tested this pam/rsh-server combo for RHEL ES3U6 (as the rexecd_server),
it also failed in the same way. It seems rexec could not work well with
-- Additional comment from email@example.com on 2005-11-25 07:32 EST --
This is clearly a problem in rexec not pam_access.
-- Additional comment from firstname.lastname@example.org on 2005-11-25 15:34 EST --
Here are more information from /var/log/messages in rexecd server:
Nov 25 14:01:25 rexecd_server_name /usr/sbin/in.rexecd: connect from
Nov 25 14:01:25 rexecd_server_name pam_access: access denied for user
`asrc' from `rexec'
The messages indicates that in.rexecd knows that the connection came from
'testhost1', but pam_access doesn't know the source of the connection, it just
knew it came from 'rexec'. Not sure if this would be helpful.
-- Additional comment from email@example.com on 2005-11-28 09:14 EST --
You're right. It doesn't set pam_set_item(pamh, PAM_RHOST, host);
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.