PDA

View Full Version : rsh/rlogin PAM issue after upgrading to SLES 11 SP3



yssong
06-Jun-2014, 21:54
Hi,


Somehow rlogin/rsh stopped working after upgrading to SLES 11 SP3. (It was working fine before the upgrade)

It's not an xinetd issue but is a PAM issue.

I have the default rsh/rlogin PAM files as below.


# cat /etc/pam.d/rsh
#%PAM-1.0
auth required pam_rhosts.so
auth required pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session


# cat /etc/pam.d/rlogin
#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die defau pam_securetty.so
auth sufficient pam_rhosts.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session


# rsh localhost
Password:
rlogin: connection closed.

# tail -2 /var/log/messages
Jun 6 13:50:24 server1 in.rlogind[4735]: connect from 127.0.0.1 (127.0.0.1)
Jun 6 13:50:24 server1 rlogind[4735]: pam_rhosts(rlogin:auth): denied access to root@localhost as root


I typed in the correct password in the above example.

The same problem occurs across all the servers I've upgraded to SLES 11 SP3.

Whether I have .rhosts (or hosts.equiv) or not, the problem happens.

Has anyone experienced the same problem?

Thanks for your help in advance!



- Steve

yssong
06-Jun-2014, 22:34
BTW, I did disable AppArmor but the problem still occurs.

# chkconfig boot.apparmor
boot.apparmor off


Thanks.


- Steve

jmozdzen
09-Jun-2014, 23:52
Hi Steve,

have you tried running pam_rhosts with the "debug" option, maybe you'll be offered a hint at any specific access validations done since SP3?

> I typed in the correct password in the above example.
> [...]
> Whether I have .rhosts (or hosts.equiv) or not, the problem happens.

Shouldn't you have to type in passwords at all with the proper .rhosts / /etc/hosts.equiv setup?

Maybe the file permissions of ~root/.rhosts are not restrictive enough?

Regards,
Jens

BDBeveridge
29-Apr-2015, 16:54
I was seeing this too after the upgrade. However, there is a patch for rsh-server that fixes the problem. Look for rsh-server-0.17-706.20.1.