Can't seem to get pam and .rhosts to play nice

Can't seem to get pam and .rhosts to play nice

Post by David Ruggie » Sat, 06 Jul 2002 02:52:19



Trying here to get rsh (actually, rcp, but let's just keep it simple for
now) to work between two RH 7.2 machines, running 2.4.9 kernels. Both are
internal machines, secure behind a firewall.

On machine "ben", user "vermont" has a single-line .rhosts file
(writable/readable only by him) in the /home/vermont directory:

  %cat .rhosts
  jerry +

I thought this would allow rsh access from host jerry, any user. Yet when
on jerry I try to just run a simple remote command, I get:

  % rsh -l vermont ben date
  Permission denied.
  %

Then when I check /var/log/messages on ben, I see:



I'm not sure what I've done wrong; I've got no hosts.equiv file, and I
can't find anything else that I'm supposed to do to make this fly.

Note that if I simply change /etc/pam.d/rsh entry for pam_rhosts_auth from
"required" to sufficient", it works fine - but I then seem to be able to
get in as ANY user - which is a little less security than I want. :)

  auth       required     /lib/security/pam_nologin.so
  auth       required     /lib/security/pam_securetty.so
  auth       required     /lib/security/pam_env.so
  auth       sufficient   /lib/security/pam_rhosts_auth.so  <<<<- changed this one
  account    required     /lib/security/pam_stack.so service=system-auth
  session    required     /lib/security/pam_stack.so service=system-auth

What am I doing wrong here?

TIA,
David

 
 
 

Can't seem to get pam and .rhosts to play nice

Post by Bit Twist » Sat, 06 Jul 2002 04:51:52



Quote:> Trying here to get rsh (actually, rcp, but let's just keep it simple for
> now) to work between two RH 7.2 machines, running 2.4.9 kernels. Both are
> internal machines, secure behind a firewall.

> On machine "ben", user "vermont" has a single-line .rhosts file
> (writable/readable only by him) in the /home/vermont directory:

>   %cat .rhosts
>   jerry +

Whatever man pages you are looking at are afu.   :)

I guess the first thing I would do is create .rhosts with the correct  syntax.
jerrys_node.domain  jerry

for fun, I would then try rlogin just to see how much r* code works.
I would check /etc/xinetd.d/rlogin to see if it had something like

service login
{
        socket_type             = stream
        wait                    = no
        user                    = root
        log_on_success          += USERID
        log_on_failure          += USERID
        server                  = /usr/sbin/in.rlogind
        disable                 = no
        only_from               = 192.168.1.10

Quote:}

I would then check /etc/xinetd.d/rsh
If you did not have one, I would wonder if the rpm was installed.

After changing /etc/xinetd.d/r* files do a
service xinetd restart       to load your updates.

 
 
 

Can't seem to get pam and .rhosts to play nice

Post by Nico Kadel-Garci » Sat, 06 Jul 2002 04:57:20




> > Trying here to get rsh (actually, rcp, but let's just keep it simple for
> > now) to work between two RH 7.2 machines, running 2.4.9 kernels. Both
are
> > internal machines, secure behind a firewall.

> > On machine "ben", user "vermont" has a single-line .rhosts file
> > (writable/readable only by him) in the /home/vermont directory:

> >   %cat .rhosts
> >   jerry +

> Whatever man pages you are looking at are afu.   :)

> I guess the first thing I would do is create .rhosts with the correct
syntax.
> jerrys_node.domain  jerry

First thing *I* would do is through rsh and rcp out the window. Proceed
*directly* to OpenSSH, available as part of RH 7.x, to get much better host
authentication and potentially SSH based login.
 
 
 

Can't seem to get pam and .rhosts to play nice

Post by David Ruggie » Sat, 06 Jul 2002 06:08:13



>Whatever man pages you are looking at are afu.   :)
>I guess the first thing I would do is create .rhosts with the correct  syntax.
>jerrys_node.domain  jerry

But remember this is an internal network, not connected to the internet.
On BOTH of these systems, "dnsdomainname" returns "(none)" (ie, no domain
is setup). So "jerry" and "ben" alone ARE essentially the FQDN's, right?
And there is no user "jerry" on either machine, only user "vermont", so I
don't understand what your second "jerry" does (isn't the format "hostname
username")? So what was wrong with my using the username, or a "+" to allow
all users? The docs seem to say that's correct.

Quote:>I would check /etc/xinetd.d/rlogin to see if it had something like
>I would then check /etc/xinetd.d/rsh

No, if this was the problem then simply changing the pam.d file wouldn't
fix the problem (as I reported in my original post, that's all it took).
In any case, both are stock RH - no "only from" in either, and neither
one is "disable = yes".
 
 
 

Can't seem to get pam and .rhosts to play nice

Post by Bit Twist » Sat, 06 Jul 2002 07:28:03




>>Whatever man pages you are looking at are afu.   :)
>>I guess the first thing I would do is create .rhosts with the correct  syntax.
>>jerrys_node.domain  jerry

> But remember this is an internal network, not connected to the internet.
> On BOTH of these systems, "dnsdomainname" returns "(none)" (ie, no domain
> is setup). So "jerry" and "ben" alone ARE essentially the FQDN's, right?
> And there is no user "jerry" on either machine, only user "vermont", so I
> don't understand what your second "jerry" does (isn't the format "hostname
> username")? So what was wrong with my using the username, or a "+" to allow
> all users? The docs seem to say that's correct.

Well, excuse me, I totaly misunderstood I quote

" On machine "ben", user "vermont" has a single-line .rhosts file
  (writable/readable only by him) in the /home/vermont directory: "
and you have jerry + in the .rhosts file.

SO I naturally assumed vermont wanted to allow jerry (a user) to login.
I must have totaly overlooked where there was a node named jerry.
I totaly overlooked where you name systems with peoples
name and user accont as states, it is totaly my fault, I screwed up.

A totaly indefensible conclusion derived from insufficent imformation.
Again, I am sorry for trying to help.

Quote:>>I would check /etc/xinetd.d/rlogin to see if it had something like
>>I would then check /etc/xinetd.d/rsh

> No, if this was the problem then simply changing the pam.d file wouldn't
> fix the problem (as I reported in my original post, that's all it took).
> In any case, both are stock RH - no "only from" in either, and neither
> one is "disable = yes".

 
 
 

Can't seem to get pam and .rhosts to play nice

Post by Jonathan Roge » Fri, 19 Jul 2002 16:36:46


Two really off-the-wall thoughts on what could be wrong here, from
school-of-hard-knocks personal experience (with systems setup weirdly
by third-party vendors) -

1) Make sure the user's home directory in /etc/passwd is the one you
think it is...it may not be /home/username (even if /home/username
exists!)

2) Make sure the permissions on that home directory don't allow it to
be modified by anyone but the user, as pam_rhosts_auth checks that as
well as the permissions on the .rhosts file itself. (If it's
world-writable the permissions on the .rhosts file are essentially
meaningless because anyone can in theory change or delete .rhosts at
any time).

HTH,
/JR/


> Trying here to get rsh (actually, rcp, but let's just keep it simple for
> now) to work between two RH 7.2 machines, running 2.4.9 kernels. Both are
> internal machines, secure behind a firewall.

> On machine "ben", user "vermont" has a single-line .rhosts file
> (writable/readable only by him) in the /home/vermont directory:

>   %cat .rhosts
>   jerry +

> I thought this would allow rsh access from host jerry, any user. Yet when
> on jerry I try to just run a simple remote command, I get:

>   % rsh -l vermont ben date
>   Permission denied.
>   %

> Then when I check /var/log/messages on ben, I see:



> I'm not sure what I've done wrong; I've got no hosts.equiv file, and I
> can't find anything else that I'm supposed to do to make this fly.

> Note that if I simply change /etc/pam.d/rsh entry for pam_rhosts_auth from
> "required" to sufficient", it works fine - but I then seem to be able to
> get in as ANY user - which is a little less security than I want. :)

>   auth       required     /lib/security/pam_nologin.so
>   auth       required     /lib/security/pam_securetty.so
>   auth       required     /lib/security/pam_env.so
>   auth       sufficient   /lib/security/pam_rhosts_auth.so  <<<<- changed this one
>   account    required     /lib/security/pam_stack.so service=system-auth
>   session    required     /lib/security/pam_stack.so service=system-auth

> What am I doing wrong here?

> TIA,
> David

 
 
 

Can't seem to get pam and .rhosts to play nice

Post by David Ruggie » Fri, 19 Jul 2002 17:22:49


Thanks!!!!!!!! It turned out to be *both* #1 and #2. You hit the nail on
the head with that one. The account was set up to point at some internal
application directory as its "home", and that dir was worth-writable.
I switched to using another username that had a "normal" homedir, and
everything now works great. Thanks again.

-David


>Two really off-the-wall thoughts on what could be wrong here, from
>school-of-hard-knocks personal experience (with systems setup weirdly
>by third-party vendors) -
>1) Make sure the user's home directory in /etc/passwd is the one you
>think it is...it may not be /home/username (even if /home/username
>exists!)
>2) Make sure the permissions on that home directory don't allow it to
>be modified by anyone but the user, as pam_rhosts_auth checks that as
>well as the permissions on the .rhosts file itself. (If it's
>world-writable the permissions on the .rhosts file are essentially
>meaningless because anyone can in theory change or delete .rhosts at
>any time).
>HTH,
>/JR/

>> Trying here to get rsh (actually, rcp, but let's just keep it simple for
>> now) to work between two RH 7.2 machines, running 2.4.9 kernels. Both are
>> internal machines, secure behind a firewall.

 
 
 

Can't seem to get pam and .rhosts to play nice

Post by Robin Sop » Sat, 27 Jul 2002 05:18:06


This sounds similar to a problem I have currently...

In my .rhosts file I have "+ myusername" which allows me to rlogin
into other hosts on the network without typing my password (my home
directory is automounted). However although this works perfectly for
IRIX & Solaris hosts, RH Linux 7.2 prompts me for a password. If I
type in my password it lets me in fine. The permissions on my .rhosts
file is 700

Now if I have "A_hostname myusername" in my .rhosts and try and rlogin
from host "A_hostname" it works fine. So it isn't ignoring my .rhosts
altogether, It's the + username syntax it doesn't seem to like.

I would be interested to hear if this works for you or if you can
suggest why the hell it's not working for me cos it's driving me
insane!

And yes I know SSH is more secure...

Thanks & regards
Robin

 
 
 

Can't seem to get pam and .rhosts to play nice

Post by Nico Kadel-Garci » Sat, 27 Jul 2002 12:31:36



Quote:> This sounds similar to a problem I have currently...

> In my .rhosts file I have "+ myusername" which allows me to rlogin
> into other hosts on the network without typing my password (my home
> directory is automounted). However although this works perfectly for
> IRIX & Solaris hosts, RH Linux 7.2 prompts me for a password. If I
> type in my password it lets me in fine. The permissions on my .rhosts
> file is 700

Throw .rhosts out *RIGHT NOW*. Proceed directly to OpenSSH, which at least
uses a ".shosts" and protects the actual link from getting password sniffed
and authenticates the target much more thoroughly.

Quote:> And yes I know SSH is more secure...

Then why are you using .rhosts at all?
 
 
 

Can't seem to get pam and .rhosts to play nice

Post by Robin Sop » Sat, 27 Jul 2002 20:30:25



> Throw .rhosts out *RIGHT NOW*. Proceed directly to OpenSSH, which at least
> uses a ".shosts" and protects the actual link from getting password sniffed
> and authenticates the target much more thoroughly.

> > And yes I know SSH is more secure...

> Then why are you using .rhosts at all?

Nico - I am fully aware of ssh and the benefits it offers, thanks for
reminding me however, but in this situation I need to use rsh/rlogin -
just put it down to having to work with a set of constraints over
which I no control...

So I still have the .rhosts problem

Any suggestions?

Regards
Robin
Regards
Robin

 
 
 

Can't seem to get pam and .rhosts to play nice

Post by Nico Kadel-Garci » Sat, 27 Jul 2002 21:38:47




Quote:

> > Throw .rhosts out *RIGHT NOW*. Proceed directly to OpenSSH, which at
least
> > uses a ".shosts" and protects the actual link from getting password
sniffed
> > and authenticates the target much more thoroughly.

> > > And yes I know SSH is more secure...

> > Then why are you using .rhosts at all?

> Nico - I am fully aware of ssh and the benefits it offers, thanks for
> reminding me however, but in this situation I need to use rsh/rlogin -
> just put it down to having to work with a set of constraints over
> which I no control...

> So I still have the .rhosts problem

> Any suggestions?

Run SSH on a high numbered port, taking advantage of its handling of .shosts
and .rhosts, and don't tell the guy running the server? It certainly has no
*worse* security than running rshd this way.

Otherwise, you should make sure that the site owner is, in fact, running
rshd. Try telnetting to the rsh port (port 544) and see if it's open. If
it's not, you need to negotiate with this person anyway.

 
 
 

Can't seem to get pam and .rhosts to play nice

Post by Will May » Sun, 28 Jul 2002 20:28:51


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quote:> > Nico - I am fully aware of ssh and the benefits it offers, thanks
for
> > reminding me however, but in this situation I need to use
rsh/rlogin -
> > just put it down to having to work with a set of constraints
over
> > which I no control...
> Run SSH on a high numbered port, taking advantage of its handling
of .shosts
> and .rhosts, and don't tell the guy running the server? It
certainly has no
> *worse* security than running rshd this way.

Sorry to *in, but isn't telling the sysadmin just a _little_
underhanded? Some day they are going to run netstat, and it'll show
up this rogue port, and if they know what they are doing, they will
investigate. Such a nice way to get yourself kicked off the system.

~w
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6-2 (MingW32) - GPGOE 0.4.1
Comment: For info see http://www.veryComputer.com/

iEYEARECAAYFAj1Cg/MACgkQbMDi9+Zq2H2kQgCdH2DuxqzwRQ6oDbGgvL3W7wsz
OiMAn3GFfDi1gXqRmp/WxN/Jof53OXz2
=uC5q
-----END PGP SIGNATURE-----

 
 
 

Can't seem to get pam and .rhosts to play nice

Post by Nico Kadel-Garci » Sun, 28 Jul 2002 23:13:21



Quote:> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> > > Nico - I am fully aware of ssh and the benefits it offers, thanks
> for
> > > reminding me however, but in this situation I need to use
> rsh/rlogin -
> > > just put it down to having to work with a set of constraints
> over
> > > which I no control...
> > Run SSH on a high numbered port, taking advantage of its handling
> of .shosts
> > and .rhosts, and don't tell the guy running the server? It
> certainly has no
> > *worse* security than running rshd this way.
> Sorry to *in, but isn't telling the sysadmin just a _little_
> underhanded? Some day they are going to run netstat, and it'll show
> up this rogue port, and if they know what they are doing, they will
> investigate. Such a nice way to get yourself kicked off the system.

It is underhanded. But since it's replacing rsh for an individual user (and
doesn't have root privileges), it's considerably safer than the RSH the
admin is currently running.

Also, if the sys-admin is too butt-stupid to block RSH and replace it with
SSH, he's probably too dumb to actually run nmap or netstat.

 
 
 

1. Getting RH and Caldera to play nice with printers

I've got a Caldera OL 2.3 system with a laser printer. This works fine.
It's on a LAN with a RedHat
6.0 system without a printer, and I'm having trouble getting RedHat to
print via the Caldera printer.
Actually the second system boots several OSes, including another copy of
OL2.3, and in that state
it can use the other machine's printer just fine.

Now RH uses the "old" LPD software, and Caldera is using LPRng.  When I
try to print with RH,
it reports that the queue on the Caldera machine is full, and it's
waiting for it to drain.  In fact the
queue is empty, and on a partition with a LOT of free space.

The printcap I'm using on RH was created by the printtool, and is not
obviously different from the
one that works on Caldera.

#
# Please don't edit this file directly unless you know what you are
doing!
# Be warned that the control-panel printtool requires a very strict
format!
# Look at the printcap(5) man page for more info.
#
# This file can be edited with the printtool in the control-panel.

##PRINTTOOL3## REMOTE POSTSCRIPT 600x600 letter {} PostScript Default 0
lp:\
        :sd=/var/spool/lpd/lp:\
        :lp=/dev/null:\
        :mx#0:\
        :sh:\
        :rm=trixie.kosman.via.ayuda.com:\
        :rp=lp0:\
        :if=/var/spool/lpd/lp/filter:

--



2. OSR502: su: no shell, but every user has /bin/sh

3. Help w/ getting Linux and Win95 to play nice

4. Can we install Linux completely without floppy nor ftp?

5. Nice. Nice nice nice.

6. Need help in checking setting on Solaris 2.5

7. Getting ipmasqadm to play nice with ipchains rules for port forwarding

8. ip address conflict?

9. .rhosts don't seem to work all the time.

10. The 'nice' program - getting more time for my program ?

11. public_html won't play nice

12. rsh as root - no password - /.rhosts or /root/.rhosts doesn't work?

13. Win Linux 2000 and Monitor won't play nice