alt.os.linux - RSH problem

Author

RSH problem

Dirty Harry

2002-12-19, 9:26 am

I recently installed RH 7.3 on a machine for which I plan to use as a
backup machine to put dumps (nightly incrementals) from another Linux
machine. So I am trying to perform remote dumps and hence trying to
get rsh to work. I've installed the rsh-server, I've created a user
called backup (to be used in the dump and tar commands), I've created
a .rhosts file for the user backup containing the machine and user
names that are allowed to connect. I have enabled the rsh service
(changed disabled to no in /etc/xinetd.d/rsh). To test I issued a
command like

rsh -l backup machine_name "ls -al"

and am getting a Permission denied. So far I have been unable to
figure out why it won't let me in. Further, about a month ago I just
did this same thing (installed RH 7.3) on a machine with a tape drive
and was able to get remote dumps to work with it. I'm presently at a
lose at what else to do. I've read that you may need to edit
/etc/securetty and/or something in the /etc/pam.d directory but that
was for root access. This isn't necessary (I don't think) since I
created the user backup plus I didn't do that on the other machine.
Any ideas?

RodgerH

2002-12-19, 10:25 am

Dirty Harry wrote:
> I recently installed RH 7.3 on a machine for which I plan to use as a
> backup machine to put dumps (nightly incrementals) from another Linux
> machine. So I am trying to perform remote dumps and hence trying to
> get rsh to work. I've installed the rsh-server, I've created a user
> called backup (to be used in the dump and tar commands), I've created
> a .rhosts file for the user backup containing the machine and user
> names that are allowed to connect. I have enabled the rsh service
> (changed disabled to no in /etc/xinetd.d/rsh). To test I issued a
> command like
>
> rsh -l backup machine_name "ls -al"
>
> and am getting a Permission denied. So far I have been unable to
> figure out why it won't let me in. Further, about a month ago I just
> did this same thing (installed RH 7.3) on a machine with a tape drive
> and was able to get remote dumps to work with it. I'm presently at a
> lose at what else to do. I've read that you may need to edit
> /etc/securetty and/or something in the /etc/pam.d directory but that
> was for root access. This isn't necessary (I don't think) since I
> created the user backup plus I didn't do that on the other machine.
> Any ideas?

--

you must add rsh to the list found in /etc/securetty
at least i had to do this before it would work on my non-root account.

--
Rodger Lee Hornberger
Raleigh, NC - USA
--
Registered Linux User #285004
--
wIndependence declared: May 29th, 2002.
--
"I am not associated with any corporation, government, or non-profit
group. In other words, I'm unemployed".

Paul Lutus

2002-12-19, 1:25 pm

On Thu, 19 Dec 2002 07:17:45 +0000, Dirty Harry wrote:

> To test I issued a
> command like
>
> rsh -l backup machine_name "ls -al"
>
> and am getting a Permission denied.

Which user issued the command? Is that user known to the destination? Have
you considered using ssh instead? ssh will do the same job with similar
syntax, but it is much more secure, if this matters in your situation.

You can use ssh-keygen to create and then provide a public RSA key to the
client, then the host can issue the same command and things will work
swimmingly -- and securely.

--
Paul Lutus
http://www.arachnoid.com

Dirty Harry

2002-12-19, 1:25 pm

RodgerH <rhornber@worldnet.att.net> wrote in message
> you must add rsh to the list found in /etc/securetty
> at least i had to do this before it would work on my non-root account.
>

I tried that and it did not make difference. Also, for comparision on
the other system where it is working, rsh is not specified in
/etc/securetty.

Dirty Harry

2002-12-19, 1:25 pm

RodgerH <rhornber@worldnet.att.net> wrote in message
>
> you must add rsh to the list found in /etc/securetty
> at least i had to do this before it would work on my non-root account.
>

I think I found the problem but I don't understand why. The .rhosts
file in backups home directory had a mode of 0664. I changed this
this to 0600 and then the rsh command worked from a remote machine.
So now my question is where is the statement or setting that makes it
so that depending upon the mode, rsh may or may not work.

Bit Twister

2002-12-19, 2:25 pm

On 19 Dec 2002 11:12:24 -0800, Dirty Harry wrote:
> RodgerH <rhornber@worldnet.att.net> wrote in message
>>
>> you must add rsh to the list found in /etc/securetty
>> at least i had to do this before it would work on my non-root account.
>>
>
>
> I think I found the problem but I don't understand why. The .rhosts
> file in backups home directory had a mode of 0664. I changed this
> this to 0600 and then the rsh command worked from a remote machine.
> So now my question is where is the statement or setting that makes it
> so that depending upon the mode, rsh may or may not work.

Define mode.

There is not a mode control switch about the 0600.
r* utils check the protection on .rhosts and will not work if
they do not like the privs during autolog in.

Dirty Harry

2002-12-19, 5:25 pm

"Paul Lutus" <nospam@nosite.zzz> wrote in message news:<pan.2002.12.19.18.48.32.238837@nosite.zzz>...
> On Thu, 19 Dec 2002 07:17:45 +0000, Dirty Harry wrote:
>
> > To test I issued a
> > command like
> >
> > rsh -l backup machine_name "ls -al"
> >
> > and am getting a Permission denied.
>
> Which user issued the command? Is that user known to the destination? Have
> you considered using ssh instead? ssh will do the same job with similar
> syntax, but it is much more secure, if this matters in your situation.
>
> You can use ssh-keygen to create and then provide a public RSA key to the
> client, then the host can issue the same command and things will work
> swimmingly -- and securely.

I knew this would eventually come up about using ssh. While I'm not
worried about security of the transmission over the network at
present, (small office) isn't ssh only going to provide security in
the data transfer over the network? As far as who one allows to rsh
or ssh in, controlled by the .rhosts and .shosts files, isn't that
about the same level of security between the two?

A few weeks ago I posted a related question that I was more interested
in. Since I was going to allow certain individuals to rsh in to
machine A as user x, even though they don't have an account on machine
A, I wanted to restrict what directories/files they (as user x) could
get to. (The rsh capability was added primarily for access to the tape
drive) I knew this could be done with changing the other and group
permission settings on all the files on Machine A but I wanted to
avoid this. However, it sounded like that was the only way to go.

S C Rigler

2002-12-19, 8:24 pm

In article <64a441b.0212190717.3ddccfdb@posting.google.com>, Dirty Harry wrote:
> I recently installed RH 7.3 on a machine for which I plan to use as a
> backup machine to put dumps (nightly incrementals) from another Linux
> machine. So I am trying to perform remote dumps and hence trying to
> get rsh to work. I've installed the rsh-server, I've created a user
> called backup (to be used in the dump and tar commands), I've created
> a .rhosts file for the user backup containing the machine and user
> names that are allowed to connect. I have enabled the rsh service
> (changed disabled to no in /etc/xinetd.d/rsh). To test I issued a
> command like
>
> rsh -l backup machine_name "ls -al"
>
> and am getting a Permission denied. So far I have been unable to
> figure out why it won't let me in. Further, about a month ago I just
> did this same thing (installed RH 7.3) on a machine with a tape drive
> and was able to get remote dumps to work with it. I'm presently at a
> lose at what else to do. I've read that you may need to edit
> /etc/securetty and/or something in the /etc/pam.d directory but that
> was for root access. This isn't necessary (I don't think) since I
> created the user backup plus I didn't do that on the other machine.
> Any ideas?

Make sure your .rhosts file is mode 0600.

An easier way to enable rsh is to just do "chkconfig rsh on". This
will change the disable line to "no" and restart xinetd for you.

-S

Sponsored Links