Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 14 Sep 2003 18:40:02 -0700
From:      Cy Schubert <Cy.Schubert@komquats.com>
To:        supraexpress@globaleyes.net
Subject:   Re: rsh commands to 5.1-CURRENT being rejected 
Message-ID:  <200309150141.h8F1f2Op018611@cwsys.cwsent.com>
Resent-Message-ID: <200309150141.h8F1f2Op018611@cwsys.cwsent.com>
In-Reply-To: Your message of "Sun, 14 Sep 2003 18:29:17 CDT." <B0184329514@mercury.ll.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <B0184329514@mercury.ll.net>, supraexpress@globaleyes.net 
writes:
> Sep 14 17:46:52 <local7.notice> target logger: TCP_Wrappers ALLOW: source/tar
> get,rshd,974,rshd@target
> Sep 14 17:46:52 <auth.info> target inetd[974]: connection from source, servic
> e rshd (tcp)
> Sep 14 17:46:52 <auth.info> target rshd[974]: root@source as root: permission
>  denied (authentication error). cmd='date'
> 
> /root/.rhosts (600): "source root"
> 
> /etc/pam.d/rsh: not changed
> 
> /etc/inetd.conf: 
>   shell   stream  tcp     nowait  root /usr/libexec/rshd       rshd -L
> 
> /etc/hosts: both "source" and "target" are defined
> 
> /etc/named/s/: both "source" and "target" are defined
> 
> 5.1-CURRENT: Wednesday, 20 August 2003 20:36:05
> 
> 
> Under FBSD-4.8, this is not a problem. Under FBSD-5.1, nothing I do
> seems to allow rsh from another LAN host.
> 
> A TCPDUMP of the rsh session shows "root.root.<command>" coming from
> "source" and then "permission denied" coming from "target", where the
> TCPDUMP is running. The "source" host displays: "rshd: Login
> incorrect.". RSH from "target" to "source" works just fine?!?

A picture is worth a thousand words.  (No worries folks, this is in my 
internal network here at home. Professionally I use SSH and Kerberos 
rsh.)

--- /usr/src/etc/pam.d/rsh	Sun Feb  9 16:50:03 2003
+++ /etc/pam.d/rsh	Mon Jun 16 15:20:00 2003
@@ -6,7 +6,7 @@
 
 # auth
 auth		required	pam_nologin.so		no_warn
-auth		required	pam_rhosts.so		no_warn
+auth		required	pam_rhosts.so		no_warn allow_root
 
 # account
 account		required	pam_unix.so



Cheers,
--
Cy Schubert <Cy.Schubert@komquats.com>        http://www.komquats.com/
BC Government                     .                       FreeBSD UNIX
Cy.Schubert@osg.gov.bc.ca         .                     cy@FreeBSD.org
http://www.gov.bc.ca/             .            http://www.FreeBSD.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309150141.h8F1f2Op018611>