== Comment: #0 - Sanjeev Patro <sanpatr1.com> - 2013-05-08 03:32:40 == rsh and rlogin to any system, does not seems to very consistent. Steps which we followed for configuring rsh/rlogin server 1> Installed rsh and rlogin of following versions [root@localhost ~]# rpm -qa | grep xinet xinetd-2.3.15-5.fc19.ppc64 [root@localhost ~]# rpm -qa | grep rsh rsh-0.17-70.fc19.ppc64 rsh-server-0.17-70.fc19.ppc64 2> Then enable rsh ans rlogin service by editing in respective files of xinetd folders. /etc/xinetd.d/rsh # default: on # description: The rshd server is the server for the rcmd(3) routine and, \ # consequently, for the rsh(1) program. The server provides \ # remote execution facilities with authentication based on \ # privileged port numbers from trusted hosts. service shell { socket_type = stream wait = no user = root log_on_success += USERID log_on_failure += USERID server = /usr/sbin/in.rshd disable = no } /etc/xinetd.d/rlogin # default: on # description: rlogind is the server for the rlogin(1) program. The server \ # provides a remote login facility with authentication based on \ # privileged port numbers from trusted hosts. service login { socket_type = stream wait = no user = root log_on_success += USERID log_on_failure += USERID server = /usr/sbin/in.rlogind disable = no } 2> Edited /etc/securrety, added rsh and rlogin to end of the file 3> vi /root/.rhost, we mentioned client hostnames so that client can do rsh or rlogin without password. 4> Restarted xinetd service # service xinetd status Redirecting to /bin/systemctl status xinetd.service xinetd.service - Xinetd A Powerful Replacement For Inetd Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled) Active: active (running) since Fri 2013-05-03 07:05:31 AKDT; 4 days ago Main PID: 15056 (xinetd) CGroup: name=systemd:/system/xinetd.service ??15056 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid 5> firewall also stopped and iptables also flushed. 6> rsh <hostname> from the physical host # rsh <hostname> rlogin: connection closed. 7> From the client also #rsh <hostname> rlogin: connection closed But some times the connection also successful. On a avarage we tried 5 times to do rsh, where 3 times rsh failed with rlogin: Connection closed /var/log/messages also shows like this May 7 23:26:41 localhost xinetd[15056]: START: login pid=22042 from=::ffff:9.3.110.175 May 7 23:26:41 localhost xinetd[15056]: EXIT: login status=0 pid=22042 duration=0(sec) The same is happening for rlogin.
Can you please test the latest packages rsh-0.17-71. It should fix your issues. Also note that rsh no longer uses xinetd, instead we use systemd socket activation. On server run: # systemctl enable rsh.socket && systemctl start rsh.socket # systemctl enable rlogin.socket && systemctl start rlogin.socket # systemctl enable rexec.socket && systemctl start rexec.socket
------- Comment From sanpatr1.com 2013-06-07 07:37 EDT------- (In reply to comment #7) > Can you please test the latest packages rsh-0.17-71. It should fix your > issues. Also note that rsh no longer uses xinetd, instead we use systemd > socket activation. On server run: > > # systemctl enable rsh.socket && systemctl start rsh.socket > # systemctl enable rlogin.socket && systemctl start rlogin.socket > # systemctl enable rexec.socket && systemctl start rexec.socket I did the same, and some observations 1> When i tried to rsh/rlogin within localhost, authentication fails though we have provided proper root/password [root@localhost ~]# rsh localhost Password: Password: Login incorrect localhost login: Password: Login incorrect localhost login: Password: Login incorrect 2> When I try from remote host of the same subnet it fails as such # rsh 9.27.29.123 9.27.29.123: No route to host 3> Any idea what we have to do for make rsh/rlogin password less Thanks
ad 1) Can you please consult the log messages in journal and verify this is not pam_securetty issue. Please make sure you have rsh rlogin and rexec added in /etc/securetty. # journalctl -b -r | grep rlogind ad 2) Please make sure you have inserted correct firewall rule or try to disable firewall temporarily. # firewall-cmd --permanent --add-port=513/tcp # firewall-cmd --reload ad 3) edit <homedir>/.rhosts for some user, e.g. assuming we want to login from remote machine as root on the server # echo 'remote-machine remote-user' > /root/.rhosts (remote-user)@(remote-machine) $ rsh -l root <rsh-server-ip> I tested above scenarios and they should work on Fedora 19. Keep me updated. Cheers, Michal
------- Comment From sanpatr1.com 2013-06-07 13:18 EDT------- (In reply to comment #10) > ad 1) Can you please consult the log messages in journal and verify this is > not pam_securetty issue. Please make sure you have rsh rlogin and rexec > added in /etc/securetty. > > # journalctl -b -r | grep rlogind > Pam details # cat /etc/pam.d/rsh #%PAM-1.0 # For root login to succeed here with pam_securetty, "rsh" must be # listed in /etc/securetty. auth required pam_nologin.so #auth required pam_securetty.so auth required pam_env.so auth required pam_rhosts.so account include password-auth session optional pam_keyinit.so force revoke session required pam_loginuid.so session include password-auth #%PAM-1.0 # For root login to succeed here with pam_securetty, "rlogin" must be # listed in /etc/securetty. auth required pam_nologin.so #auth required pam_securetty.so auth required pam_env.so auth sufficient pam_rhosts.so auth include password-auth account include password-auth password include password-auth session optional pam_keyinit.so force revoke session required pam_loginuid.so session include password-auth # cat /etc/pam.d/rexec #%PAM-1.0 # For root login to succeed here with pam_securetty, "rexec" must be # listed in /etc/securetty. auth required pam_nologin.so #auth required pam_securetty.so auth required pam_env.so auth include password-auth account include password-auth session optional pam_keyinit.so force revoke session required pam_loginuid.so session include password-auth vi /etc/securetty ............ ............... rsh rlogin rexec ftp telnet Ouput is journalctl would be attached ~ > ad 2) Please make sure you have inserted correct firewall rule or try to > disable firewall temporarily. > > # firewall-cmd --permanent --add-port=513/tcp > # firewall-cmd --reload > Firewall also disabled > ad 3) edit <homedir>/.rhosts for some user, e.g. assuming we want to login > from remote machine as root on the server > > # echo 'remote-machine remote-user' > /root/.rhosts I did the same but no much progress. > > (remote-user)@(remote-machine) $ rsh -l root <rsh-server-ip> > > I tested above scenarios and they should work on Fedora 19. Keep me updated. > > Cheers, > > Michal
Created attachment 758155 [details] journal ------- Comment (attachment only) From sanpatr1.com 2013-06-07 13:19 EDT-------
rsh-0.17-72.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/rsh-0.17-72.fc19
Package rsh-0.17-72.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing rsh-0.17-72.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-11824/rsh-0.17-72.fc19 then log in and leave karma (feedback).
rsh-0.17-72.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
------- Comment From onmahaja.com 2013-10-21 07:57 EDT------- === Externalizing === I am able to see this beahviour in Fedora20 Alpha. # uname -a Linux xxx.ibm.com 3.11.4-301.fc20.ppc64p7 #1 SMP Thu Oct 10 11:24:10 MST 2013 ppc64 ppc64 ppc64 GNU/Linux # rsh localhost connect to address ::1: Connection refused Trying 127.0.0.1... connect to address ::1: Connection refused Trying 127.0.0.1... connect to address ::1: Connection refused Trying 127.0.0.1... ^C Regards, Rajesh
------- Comment From gusld.com 2013-10-21 19:52 EDT------- Onkar, does disabling selinux help? On the server run: # setenforce 0 # systemctl restart rsh.socket rlogin.socket rexec.socket Then retry connecting.
Indeed there is a problem with SELinux policy, it denies bind to 513 tcp port hence start of rlogin.socket fails.
This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.