LINK="#3366FF" VLINK="#A000A0">

"The Linux Gazette...making Linux just a little more fun!"


(?) The Answer Guy (!)


By James T. Dennis, tag@lists.linuxgazette.net
Starshine Technical Services, http://www.starshine.org/


The original thread appeared in Issue 36, "'rsh' as 'root' Denied".


(?) More on: 'rsh' as 'root' Denied

From Walt Smith on Tue, 29 Dec 1998

(?) HI !

THX for the reply...... Unfortunately, I still can't -

rsh wally ls
as root. Tried it on slackware nicely setup w/ 2.0.30 kernel. Didn't try Red as I don't know it as well.

I changed the /etc/inetd.conf to read -h starts with -

shell stream tcp nowait root /usr/sbin/tcpd in.rshd -h

I also tried -hl and -l

/etc/services has:

shell 514/tcp cmd #no passwords used

(thats the actual statement including # comment above)

I had hosts.equiv text of -

wally.bcpl.net +
(I took hosts ISP bcpl.net and added 'wally' for my pc.) (wally is aliased for same in file hosts)

MESSAGE given is -

permission denied

I also tried renaming hosts.equiv to get it out of the loop entirely.

(!) Your /etc/hosts.equiv seems to be in the wrong format. Your hosts.equiv should contain hostnames --- no "+" (plus) signs or any other data. Some versions don't seem to allow IP addresses -- just hostnames.
I personally recommend that you configure such a system to give /etc/hosts files priority over DNS --- and distribute a good hosts file to all of the systems on this cluster.
Running it with the -l (disable personal .rhosts files) is probably a good idea for a cluster. I'd definitely put this cluster behind a router (any Linux box with a couple of interfaces will do) and configuring a set of packet filters to limit outside access to services within the cluster.
The very least you should do with your packet filters is "anti-spoofing" --- let's say your using the 192.168.10.* block of addresses (from RFC1918) for your cluster nodes. You'd put in a rule like this:
ipfwadm -I -o -a deny -W $exterior_interface -S 192.168.10.0/24
... (as one-line, of course) to add (-a) a "firewall" (packet filter) rule to the "incoming" (-I) table on the interface which (-W) you've named which will "deny" any packet that purports to have a source (-S) address that's supposed to be assigned to one of your internal cluster nodes. The -o in this rules specifies that any packets matching the rule ("caught by it") should generate "output" to the syslogs. You can then filter/monitor your syslog for attempts to violate your policy.
This affords only a tiny measure of protection over all. However, it is better than nothing. If a group of machines will have a trust relationship based on their IP addresses --- you much ensure that your routers into that LAN segment won't blithely allow "imposter" packets through.

(?) By the way, bcpl.net is Baltimore County Public Library. Their accounts are $100/year unlimited time, with ppp, telnet to sun shell $, ftp, and 5 megs for email/and/or web page !! Such a deal !!!

see www.bcpl.net/~waltech/ if curious, which I doubt....

(!) I'll leave in the plug. Normally I filter out identifying information from messages before posting them to the Linux Gazette. This is to protect your privacy (and limit the amount of spam that would be sent to my correspondents).

(?) Never programmed in bcpl .... thats a golden oldie, right ??

(!) Yes, it pre-dated B which was the predecessor to C. Some have argued that the next programming language in the evolution of this family should therefore be "P" --- then "L" ;)

(?) I want to use rsh because I want to get a small experimental Beowulf going, and this tidbit is neglected everywhere I've checked. Did I muck something ????????????????

(!) It looks to me like you put extra stuff on your hosts.equiv lines. A "+" on a line by itself would be a "wildcard" allowing in "all" hosts (which is every bit as stupid as it sounds --- and was the default for SunOS and Solaris for many years)!
I think the versions of in.rshd and the related daemons that are commonly shipped with Linux (different versions for different distributions --- most are BSD or Wietse Venama 'logdaemon' based) will ignore such wildcards.

(?) THX for any help !

regards,
Walt Smith


Copyright © 1999, James T. Dennis
Published in The Linux Gazette Issue 37 February 1999


[ Answer Guy Index ] 1 2 3 4 5 6 7 8 9 10
11 12 14 15 16 17 18 19 21 22
23 28 29 30 31 32 33 34 37 38
39 41 42 43 44 45 46 47 48 49



[ Table Of Contents ] [ Front Page ] [ Previous Section ] [ Next Section ]