Enabling rsh, rlogin, rexec on Redhat Linux


1) Install rsh and rshd

yum install rsh rsh-server

2) Edit the configuration file /etc/xinetd.d/rsh

	service shell
	{
		socket_type             = stream
		wait                    = no
		user                    = root
		log_on_success          += USERID
		log_on_failure          += USERID
		server                  = /usr/sbin/in.rshd
		disable                 = no
	}

Set “disable” to “no”.

3) Restart “xinetd” daemon:

	service xinetd restart

4) /etc/securetty

To enable external root user to execute commands, add rsh and rlogin entries on /etc/securetty file.

5) Check connection from server to client.
All r[sh | login | exec] utils use two connections. One from client to server and second from server to client.

    – check you client side iptables (firewall, NAT, …)

6) Check server is able to convert client IP address to hostname.

    – check DNS or /etc/hosts

7) Check ~/.rhosts

– file permissions “-rw——-“

– client hostname defined with userID:

server.domain.com userID

8) Add permission to use the commands over the network. Plus provides full permissions.

vi /etc/hosts.equiv + +

9) Check /etc/pam.d/rsh (or rlogin, …)

      – module “pam_nologin.so” can disable login if the file

/etc/nologin

    exists. For more details read /usr/share/doc/pam-0.77/txts/README.pam_nologin

10) Change /etc/pam.d/rsh to use:

	auth       required     pam_rhosts_auth.so 
    The client-server “rsh” protocol is not designed for other authentication than by .rhost files. For example pam_stack.so in section “auth” can corrupt the client/server connection if the “login” program sends password prompt to client. If you need authentication by password use “rlogin” or “ssh”.

Note:

a) “rsh” with and without <command> are not the same command

“/usr/bin/rsh <host>” is the same as “rlogin <host>”, it enables unsecure remote login to server 

“/usr/bin/rsh <host> <command> is a standard remote shell command

b) Red Hat distributions contain kerbero versions of “rsh” (or “rlogin”, …).

“rsh” without exact path can be interpreted as “/usr/kerberos/bin/rsh”.

If you don’t need the kerberized version it is better to use absolute path to rsh. You will save yourself the kerberos checking and an execution of the original “rsh” if the kerberos auth fails.

c) The number of privileged ports is limited. The rsh (or rlogin, rcp, …) uses privileged ports 512-1023. If all ports are used there is no space for a new connection. To check your server’s ports status do:

	netstat -n --inet

d) TCP/IP connections doesn’t end instantly but uses the TIME_WAIT state. The timeout of this state is cca 60s. It’s possible that all your reserved ports are in TIME_WAIT state if you use connect and disconnect to server very very often.

e) Check /var/log/messages for information, warnings and errors

f) The “strace” program can be helpful debugging issues, here is an example:

client:

		strace -f -o rsh-client.strace /usr/bin/rsh <host> <command>
      Don’t forget to user the “-f: option, it’s important.

server:

Shell script “/root/rsh-strace.sh”

		#!/bin/bash
		/usr/bin/strace -f -o /tmp/rsh-server.trace /usr/sbin/in.rshd

Change /etc/xinetd.d/rsh to use debug script
		service shell
		{
			socket_type             = stream
			wait                    = no
			user                    = root
			log_on_success          += USERID
			log_on_failure          += USERID
			server                  = /root/rsh-strace.sh
						#/usr/sbin/in.rshd
			disable                 = no
		}

The “server” option should be the path to the strace script.

Restart xinetd daemon

g) Reporting issues to http://bugzilla.redhat.com
Append the strace output.

Leave a comment