Original post is below. I was (and still am) having difficulty getting
past security code installed on my main Sun server when trying to rsh as
root. In the interest of trying to keep my post short I didn't put in that
I had put the machine names (fully qualified) into the .rhosts of root on
the Sun Server.
Most replies were asking me if I had added the machines to .rhosts or if
they were fully qualified. One admin said he was experiencing difficulty
rsh'ing after installing a firewall and that ports 1024 and 1023 needed to
be open. And then one admin suggested I check /etc/ttytab to see if it was
allowing network connections. It was and I can telnet as root from my mac
to the named server as long as I have a line in login.access allowing my
machine in.
A few people said to check the /etc/default/login file but that's strictly
Solaris.
I have still been working at this. I've even tried so far as to put back
the old 4.1.3 rsh binaray(or at least what was marked as being the old one)
in inetd.conf so that it'd bypass both tcp wrapper and the rsh version from
logdaemon. I still get Permission denied so it has to be dying on the
ruserok call in the rsh code. I'm stumped(doesn't take much since I'm
still learning), if anyone has a clue please e-mail me.
Thanks to the following:
Vanessa Tsaccounis
Bryan Hodgson
Jim Robertori
Rik Schneider - indicated they were using ssh to replace rsh
Mariel Feder
Dennis Martens
David Foster
Lisa
Original post:
> The previous system administrator had things sealed up pretty well on this
> SunOS4.1.3_U1 machine since it's our main server. He had tcp_wrappers and
> all the pieces of logdaemon installed. My problem is I cannot rsh as root
> from any of our other Sun machines (either Solaris 2.5.1 or SunOS4.1.3_U1).
> I'm pretty sure the problem is not tcp wrapper as I'm not getting a
> connection refused error message and no message is sent via syslog
> indicating a refused connection.
>
> The login.access(checked by logdaemon version of ftp, rsh etc..) file on
> maestro is set to limit root access and user access.
>
> If I try the following from another server called solar as myself (with
> solar listed in my .rhosts): rsh maestro ls /etc I'm successful
>
> If I add a line to allow root at solar access to login.access it's like it
> just ignores it, from solar, issuing: rsh maestro ls /etc give me
> Permission denied. I upped the level of logging by the rsh daemon to
> syslog and I see message such as the following but they don't indicate a
> denied connection.
>
>
> Apr 20 12:35:10 maestro in.rshd[28279]: connect from root@solar
> Apr 20 12:35:56 maestro in.rshd[28281]: connect from lweihl@hydra
>
>
> I've tracked it down to the line in the logdaemon rsh code
>
> if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
> ruserok(hostname, pwd->pw_uid == 0, remuser, locuser) < 0) {
> error("Permission denied.\n");
> exit(1);
> }
>
> This has got to be where I'm bombing at. I looked at the readme and I see
> that rexec doesn't allow root to run at all. Is this what I'm running into
> using rsh ( I thought they were different)?
>
>
> I'm sure I'll get an immediate answer from someone really in the know:-)
>
>
> I'll summarize as usual.
>
> Thanks,
> Lisa
******************************************************************
Lisa Weihl, System Administrator E-mail: lweihl@cs.bgsu.edu
Department of Computer Science Office: Hayes 225
Bowling Green State University Phone: (419) 372-0116
Bowling Green, Ohio 43403-0214 Fax: (419) 372-8061
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:39 CDT