PDA

View Full Version : passwordless rsh and rlogin



stephenisthebaker
20-Jan-2014, 10:18
Hello,

I am having trouble configuring passwordless rsh and rlogin on SLES 11 sp2.

by passwordless, I mean, I use:


rsh -l root testhost1

and without asking for a password the connection is made and authenticated.

Before I continue I want to set the record straight: I understand the security risks and implecations involved with such a passwordless configuration. I am working in a physically segregated environment with NO physical or wireless connection to the internet or any other part of the outside world. The environment is a research environment and is meant to allow for testing. The developers require passwordless rsh and rlogin as well as ssh, telnet, rsync, and other ways of connecting for the tests that they run. I cannot convince the developers to use a different method, as they are doing research that requires connecting with these different methods as part of the testing and research data they are collecting.

Now that is out of the way, so let me continue.

/etc/xinetd.d/rsh

# /etc/xinetd.d/rsh
# default: on
# description: The rshd server is the server for the rcmd(3) routine and, \
# consequently, for the rsh(1) program. The server provides \
# remote execution facilities with authentication based on \
# privileged port numbers from trusted hosts.
service shell
{
disable = no
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rshd
}

/etc/xinetd.d/rlogin

# /etc/xinetd.d/rlogin
# default: on
# description: rlogind is the server for the rlogin(1) program. The server \
# provides a remote login facility with authentication based on \
# privileged port numbers from trusted hosts.
service login
{
disable = no
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rlogind
}

/etc/pam.d/rsh

# /etc/pam.d/rsh
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rsh" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_rhosts.so
account include password-auth
session optional pam_keyinit.so force revoke
session required pam_loginuid.so
session include password-auth

/etc/pam.d/rlogin

# /etc/pam.d/rlogin
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rlogin" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_rhosts.so
auth include password-auth
account include password-auth
password include password-auth
session optional pam_keyinit.so force revoke
session required pam_loginuid.so
session include password-auth

/etc/hosts.equiv

# hosts.equiv This file describes the names of the hosts which are
# to be considered "equivalent", i.e. which are to be
# trusted enough for allowing rsh(1) commands.
#
# hostname
+ +

/etc/securetty.bak

#
# This file contains the device names of tty lines (one per line,
# without leading /dev/) on which root is allowed to login.
#
tty1
tty2
tty3
tty4
tty5
tty6

The above is the information I have in the relevent files.

I do not have a /etc/securetty file, but I do have a /etc/securetty.bak file which I also included above.

When I try to connect I use:


rsh -l root testhost1

and it still asks me for a password.

At this point I am completely stuck. I very much appreciate any assistance with this that can be provided.

Thanks!

-S

mikewillis
20-Jan-2014, 17:11
I do not have a /etc/securetty file, but I do have a /etc/securetty.bak file which I also included above.


I'd try recreating /etc/securetty from /etc/securetty.bak.

/etc/securetty is provided by the pam package

:~ # rpm -qf /etc/securetty
pam-1.1.5-0.10.17
:~ # cat /etc/securetty
#
# This file contains the device names of tty lines (one per line,
# without leading /dev/) on which root is allowed to login.
#
tty1
tty2
tty3
tty4
tty5
tty6

so that you don't have one suggests it's been deleted at some point.