Red Hat Bugzilla – Bug 249332
'rsh' no longer works
Last modified: 2007-11-30 17:12:11 EST
Description of problem:
Cannot get 'rsh' working
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install the following:
2. issue the following:
service xinetd start
chkconfig rsh on
3. configure the following:
# For root login to succeed here with pam_securetty, "rsh" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth required pam_rhosts_auth.so promiscuous <--- added promiscuous
to support "+" wildcard
account include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
# default: on
# description: The rshd server is the server for the rcmd(3) routine and, \
# consequently, for the rsh(1) program. The server provides \
# remote execution facilities with authentication based on \
# privileged port numbers from trusted hosts.
disable = no
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rshd
So with these configs I would expect 'rsh' to work. But when we try to run any
'rsh' command from any client we always get "permission denied".
Here is what we see in the log:
[CODE]Jul 23 13:49:57 grp-01-30-50 xinetd: xinetd Version 2.3.14 started
with libwrap loadavg labeled-networking options compiled in.
Jul 23 13:49:57 grp-01-30-50 xinetd: Started working: 1 available service
Jul 23 13:50:01 grp-01-30-50 xinetd: socket bind: Invalid argument (errno
Jul 23 13:50:01 grp-01-30-50 xinetd: START: shell pid=23878
Jul 23 13:50:01 grp-01-30-50 rshd: rsh denied to email@example.com as
root: Permission denied.
Jul 23 13:50:01 grp-01-30-50 rshd: rsh command was 'hostname'
Jul 23 13:50:01 grp-01-30-50 xinetd: EXIT: shell status=1 pid=23878
'rsh' command succeeds.
Found the problem. You still must have a .rhosts defined for each user.
Sorry, spoke too soon. I can only get it to work with pam_permit.so which
permits all logins. As soon as I remove pam_permit then it stops working again.
I used both wildcards "+" as well as hostnames/IP user in both hosts.equiv and
.rhosts without success.
Ok, found the right formula. Had to readd "account include system-auth"
after removing pam_permit.