The PAM config file for rlogin specifies the rhosts_auth module at the top of the auth stack, with key "sufficient". This causes other modules further down the auth stack to be ignored when the rhosts_auth module reports success; in particular the securetty and nologin modules are skipped in that case. The PAM documentation on the nologin module discusses this issue. That the securetty module can be circumvented is the largest security issue here, but that nologin can be ignored is the most clear bug (one could argue that skipping the securetty module is the desired behavior, although I would dissent). An improved PAM rlogin config file might look like this: #%PAM-1.0 auth required /lib/security/pam_nologin.so auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_rhosts_auth.so auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow session required /lib/security/pam_pwdb.so The pwdb module must come after the rhosts_auth module for rhosts authentication to work correctly, but any modules that must be satisfied in every case must come before. My personal preference, by the way, is to apply the "requisite" control flag to the nologin module instead of the "required" flag -- the nologin file is displayed in either case, and with "requisite" the user is spared the rest of the process. I have some other issues with various PAM configs in the rsh-server and other packages, which I will report seperately.
Has been fixed for in the current release (RH 7.1). Read ya, Phil *** This bug has been marked as a duplicate of 17183 ***