We have a RH 6.1 in a network of Sun/Solaris machines. We use NIS+. We have a script that executes several rsh commands on the Linux box and randomly some of the rsh commands fail with "Permisson Denied". The /var/log/messages contains these lines: Jan 12 20:55:46 etorki automount[586]: attempting to mount entry /home/rainman Jan 12 20:55:47 etorki pam_rhosts_auth[28238]: allowed to rainman@crepy as rainman Jan 12 20:55:47 etorki pam_rhosts_auth[28239]: allowed to rainman@crepy as rainman Jan 12 20:55:47 etorki PAM_unix[28239]: could not identify user (from getpwnam(rainman)) Jan 12 20:55:47 etorki PAM_unix[28238]: (rsh) session opened for user rainman by (uid=0) The rsh for pid 28238 worked, but for pid 28239 is did not. The /etc/pam.d/rsh file contains: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_rhosts_auth.so auth required /lib/security/pam_unix_auth.so auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_unix_passwd.so session required /lib/security/pam_unix_session.so It was updated according to NIS+ How To. Finally /var/log/secure for the same time contains: [root@etorki log]# grep "Jan 12 20:55:" secure Jan 12 20:55:45 etorki in.rshd[28238]: connect from crepy Jan 12 20:55:45 etorki in.rshd[28239]: connect from crepy Jan 12 20:55:48 etorki in.rshd[28256]: connect from crepy We are using the pam package that came with RH 6.1 and I added pam_keylogin module. Thanks for any suggestions. ...richie
Could you try the rsh-*0.16-4 packages from Raw Hide ftp://rawhide.redhat.com/pub/rawhide Note that there are now several packages since the clients/servers have been split ...
I suspect this is not a rsh problem, as much as a bug in PAM_unix. In all the cases when the failure occured, two processes were doing rsh for the same used at the same time. After I modified out script to have a delay of 5 seconds between the rsh commands the problem stopped.
I've managed to reproduce the problem with a small script: ------cut here #!/usr/local/bin/bash host=chippewa for x in {1, 2, 3, 4, 5, 6, 7, 8} do rsh $host uname -a & sleep 2 done ---cut here When "sleep" is present it works fine. But when sleep is commented out I get this: ./rsh_test [richieb on cree] scratch > Permission denied. Protocol error, chippewa closed connection Permission denied. Linux chippewa 2.2.12-20smp #1 SMP Mon Sep 27 10:34:45 EDT 1999 i686 unknown Linux chippewa 2.2.12-20smp #1 SMP Mon Sep 27 10:34:45 EDT 1999 i686 unknown Linux chippewa 2.2.12-20smp #1 SMP Mon Sep 27 10:34:45 EDT 1999 i686 unknown Linux chippewa 2.2.12-20smp #1 SMP Mon Sep 27 10:34:45 EDT 1999 i686 unknown Linux chippewa 2.2.12-20smp #1 SMP Mon Sep 27 10:34:45 EDT 1999 i686 unknown
I can't reproduce the problem with your script against rsh*0.16. However, my /etc/pam.d/rsh file is different than yours: #%PAM-1.0 auth required /lib/security/pam_rhosts_auth.so auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.so Could you see if the problem persists with that configuration as a sanity check?
The problem is that I cannot use pam_pwdb.so module, because the machine is part of an NIS+ network and no user IDs exist in the passwd file. I'll have to try on a different machine. BTW, I was able to reproduce the problem on a SMP and on a single processor machine. So the problem is not related to SPM.
I tried to run my test script on a plain RH 6.1 machine (single processor, no NIS+) and it worked fine. I believe this problem is due to a bug in glibc routine that looks up NIS+ passwords/users.
assigned to nalin
It certainly looks like a glibc problem if the failure is occurring in getpwnam(). Does this still occur on a 6.2 workstation?
Bug 8445 has been closed because lack of input for 2 years from original bug reporter and the problem was not duplicatable within the Red Hat environment.