+++ This bug was initially created as a clone of Bug #174146 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12)
Gecko/20050915 Firefox/1.0.7

Description of problem:
We need to restrict rexec access by IP/hostname. But the combo of pam_access and
rexec does not work together for this purpose. 

The following are the conf files:
# cat /etc/pam.d/rexec
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rexec" must be
# listed in /etc/securetty.
auth       required     pam_nologin.so
auth       required     pam_securetty.so
auth       required     pam_env.so
auth       required     pam_stack.so service=system-auth
account    required     pam_access.so accessfile=/etc/pam.d/rexec.access
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

# cat /etc/pam.d/rexec.access
+:user1:testhost1
-:ALL:ALL

Version-Release number of selected component (if applicable):
pam-0.75-62, rsh-server-0.17-17

How reproducible:
Always

Steps to Reproduce:
1. From 'testhost1' server, type command: rexec -ad -l user1 -p user1_password
rexecd_server_name '/bin/touch /tmp/testing1.txt'
2. The above will fail every time, file '/var/log/message' would show that
pam_access says that "access denied for user `user1' from `rexec'"
3. But if I change the file '/etc/pam.d/rexec.access' to be:
+:user1:rexec
-:ALL:ALL

Or if I change the file to be:
+:user1:ALL
-:ALL:ALL

Then the rexec will always suceed.
  

Actual Results:  rexec: Host = rexecd_server_name
rexec: Command to execute = /bin/touch /tmp/testing1.txt
testinghost1: No such file or directory
rexec: Error in rexec system call,
rexec: (The following system error may itself be in error)
rexec: No such file or directory

Expected Results:  /tmp/testing1.txt should have been created in server
'rexecd_server_name'

Additional info:

I also tested this pam/rsh-server combo for RHEL ES3U6 (as the rexecd_server),
it also failed in the same way. It seems rexec could not work well with
pam_access.so.

-- Additional comment from tmraz on 2005-11-25 07:32 EST --
This is clearly a problem in rexec not pam_access.


-- Additional comment from hxwu on 2005-11-25 15:34 EST --
Here are more information from /var/log/messages in rexecd server:
Nov 25 14:01:25 rexecd_server_name /usr/sbin/in.rexecd[20200]: connect from
testhost1
Nov 25 14:01:25 rexecd_server_name pam_access[20200]: access denied for user
`asrc' from `rexec'

The messages indicates that in.rexecd knows that the connection came from
'testhost1', but pam_access doesn't know the source of the connection, it just
knew it came from 'rexec'. Not sure if this would be helpful.

-- Additional comment from kzak on 2005-11-28 09:14 EST --
You're right. It doesn't set pam_set_item(pamh, PAM_RHOST, host);