Bug 174362 - RHEL4: pam_access.so does not work with rexec for IP/hostname restriction
Summary: RHEL4: pam_access.so does not work with rexec for IP/hostname restriction
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: rsh   
(Show other bugs)
Version: 4.0
Hardware: i386
OS: Linux
Target Milestone: ---
: ---
Assignee: Karel Zak
QA Contact: Ben Levenson
Depends On:
Blocks: 187538
TreeView+ depends on / blocked
Reported: 2005-11-28 15:00 UTC by Karel Zak
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHBA-2006-0361
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-10 22:09:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2006:0361 normal SHIPPED_LIVE rsh bug fix update 2006-05-10 04:00:00 UTC

Description Karel Zak 2005-11-28 15:00:00 UTC
+++ This bug was initially created as a clone of Bug #174146 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12)
Gecko/20050915 Firefox/1.0.7

Description of problem:
We need to restrict rexec access by IP/hostname. But the combo of pam_access and
rexec does not work together for this purpose. 

The following are the conf files:
# cat /etc/pam.d/rexec
# For root login to succeed here with pam_securetty, "rexec" must be
# listed in /etc/securetty.
auth       required     pam_nologin.so
auth       required     pam_securetty.so
auth       required     pam_env.so
auth       required     pam_stack.so service=system-auth
account    required     pam_access.so accessfile=/etc/pam.d/rexec.access
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

# cat /etc/pam.d/rexec.access

Version-Release number of selected component (if applicable):
pam-0.75-62, rsh-server-0.17-17

How reproducible:

Steps to Reproduce:
1. From 'testhost1' server, type command: rexec -ad -l user1 -p user1_password
rexecd_server_name '/bin/touch /tmp/testing1.txt'
2. The above will fail every time, file '/var/log/message' would show that
pam_access says that "access denied for user `user1' from `rexec'"
3. But if I change the file '/etc/pam.d/rexec.access' to be:

Or if I change the file to be:

Then the rexec will always suceed.

Actual Results:  rexec: Host = rexecd_server_name
rexec: Command to execute = /bin/touch /tmp/testing1.txt
testinghost1: No such file or directory
rexec: Error in rexec system call,
rexec: (The following system error may itself be in error)
rexec: No such file or directory

Expected Results:  /tmp/testing1.txt should have been created in server

Additional info:

I also tested this pam/rsh-server combo for RHEL ES3U6 (as the rexecd_server),
it also failed in the same way. It seems rexec could not work well with

-- Additional comment from tmraz@redhat.com on 2005-11-25 07:32 EST --
This is clearly a problem in rexec not pam_access.

-- Additional comment from hxwu@tribune.com on 2005-11-25 15:34 EST --
Here are more information from /var/log/messages in rexecd server:
Nov 25 14:01:25 rexecd_server_name /usr/sbin/in.rexecd[20200]: connect from
Nov 25 14:01:25 rexecd_server_name pam_access[20200]: access denied for user
`asrc' from `rexec'

The messages indicates that in.rexecd knows that the connection came from
'testhost1', but pam_access doesn't know the source of the connection, it just
knew it came from 'rexec'. Not sure if this would be helpful.

-- Additional comment from kzak@redhat.com on 2005-11-28 09:14 EST --
You're right. It doesn't set pam_set_item(pamh, PAM_RHOST, host);

Comment 7 Red Hat Bugzilla 2006-05-10 22:09:05 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.