292 lines
10 KiB
HTML
292 lines
10 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.1H.i">
|
|
<TITLE>The Answer Guy 37: More on: 'rsh' as 'root' Denied</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Guy</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|
Starshine Technical Services,
|
|
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
|
</H4>
|
|
</center>
|
|
|
|
<p><hr><p>
|
|
<!-- endcut ======================================================= -->
|
|
<!-- begin 8 -->
|
|
|
|
<p>The original thread appeared in Issue 36,
|
|
"<a href="../../issue36/tag/98.html">'rsh' as 'root' Denied</a>".</p>
|
|
|
|
<hr width="40%" align="center"><!-- ................................ -->
|
|
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>More on: 'rsh' as 'root' Denied</H3>
|
|
|
|
|
|
<p><strong>From Walt Smith on Tue, 29 Dec 1998
|
|
</strong></p>
|
|
<!-- ::
|
|
More on: 'rsh' as 'root' Denied
|
|
~~~~~~~~~~~~~~~~~~~~~~
|
|
:: -->
|
|
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
HI !
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
THX for the reply......
|
|
Unfortunately, I still can't -
|
|
<blockquote><code>rsh wally ls</code></blockquote>
|
|
as root. Tried it on slackware nicely setup w/ 2.0.30
|
|
kernel. Didn't try Red as I don't know it as well.
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I changed the <TT>/etc/inetd.conf</TT> to read <tt>-h</tt>
|
|
starts with -
|
|
<blockquote><code>
|
|
shell stream tcp nowait root /usr/sbin/tcpd in.rshd -h
|
|
</code></blockquote>
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I also tried <tt>-hl</tt> and <tt>-l</tt>
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
<TT>/etc/services</TT> has:
|
|
<blockquote><code>
|
|
shell 514/tcp cmd #no passwords used
|
|
</code></blockquote>
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
(thats the actual statement including # comment above)
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I had hosts.equiv text of -
|
|
<blockquote><code>
|
|
wally.bcpl.net +
|
|
</code></blockquote>
|
|
(I took hosts ISP bcpl.net and added 'wally' for my pc.)
|
|
(wally is aliased for same in file hosts)
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
MESSAGE given is -
|
|
<blockquote><code>
|
|
permission denied
|
|
</code></blockquote>
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I also tried renaming <tt>hosts.equiv</tt> to get it out of the loop
|
|
entirely.
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Your <TT>/etc/hosts.equiv</TT> seems to be in the wrong format. Your
|
|
hosts.equiv should contain <EM>hostnames</EM> --- no "+" (plus)
|
|
signs or any other data. Some versions don't seem to allow
|
|
IP addresses -- just hostnames.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I personally recommend that you configure such a system to
|
|
give <TT>/etc/hosts</TT> files priority over DNS --- and distribute a
|
|
good hosts file to all of the systems on this cluster.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Running it with the <tt>-l</tt> (disable personal <tt>.rhosts</tt> files) is
|
|
probably a good idea for a cluster. I'd definitely put this
|
|
cluster behind a router (any Linux box with a couple of
|
|
interfaces will do) and configuring a set of packet filters
|
|
to limit outside access to services within the cluster.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The very least you should do with your packet filters is
|
|
"anti-spoofing" --- let's say your using the 192.168.10.*
|
|
block of addresses (from RFC1918) for your cluster nodes.
|
|
You'd put in a rule like this:
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre>ipfwadm -I -o -a deny -W $exterior_interface -S 192.168.10.0/24
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE>
|
|
... (as one-line, of course) to add (-a) a "firewall"
|
|
(packet filter) rule to the "incoming" (-I) table on
|
|
the interface which (-W) you've named which will "deny"
|
|
any packet that purports to have a source (-S) address
|
|
that's supposed to be assigned to one of your internal
|
|
cluster nodes. The -o in this rules specifies that any
|
|
packets matching the rule ("caught by it") should generate
|
|
"output" to the syslogs. You can then filter/monitor your
|
|
syslog for attempts to violate your policy.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
This affords only a tiny measure of protection over all.
|
|
However, it is better than nothing. If a group of machines
|
|
will have a trust relationship based on their IP addresses
|
|
--- you much ensure that your routers into that LAN segment
|
|
won't blithely allow "imposter" packets through.
|
|
</BLOCKQUOTE>
|
|
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
By the way, bcpl.net is Baltimore County Public Library.
|
|
Their accounts are $100/year unlimited time, with ppp,
|
|
telnet to sun shell $, ftp, and 5 megs for email/and/or
|
|
web page !! Such a deal !!!
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
see <a href="http://www.bcpl.net/~waltech/">www.bcpl.net/~waltech/</a>
|
|
if curious, which I doubt....
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
I'll leave in the plug. Normally I filter out
|
|
identifying information from messages before posting
|
|
them to the Linux Gazette. This is to protect your
|
|
privacy (and limit the amount of spam that would
|
|
be sent to my correspondents).
|
|
</BLOCKQUOTE>
|
|
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Never programmed in bcpl .... thats a golden oldie, right ??
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Yes, it pre-dated B which was the predecessor to C.
|
|
Some have argued that the next programming language in
|
|
the evolution of this family should therefore be "P"
|
|
--- then "L"
|
|
<IMG SRC="../../gx/dennis/smily.gif" ALT=";)"
|
|
height="24" width="20" align="middle">
|
|
</BLOCKQUOTE>
|
|
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
I want to use rsh because I want to get a small experimental Beowulf
|
|
going, and this tidbit is neglected everywhere I've checked. Did I
|
|
muck something ????????????????
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
It looks to me like you put extra stuff on your hosts.equiv
|
|
lines. A "+" on a line by itself would be a "wildcard"
|
|
allowing in "all" hosts (which is every bit as stupid as
|
|
it sounds --- and was the default for SunOS and Solaris
|
|
for many years)!
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I think the versions of in.rshd and the related daemons
|
|
that are commonly shipped with Linux (different versions
|
|
for different distributions --- most are BSD or Wietse
|
|
Venama 'logdaemon' based) will ignore such wildcards.
|
|
</BLOCKQUOTE>
|
|
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
THX for any help !
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
regards,
|
|
<br>Walt Smith
|
|
</STRONG></P>
|
|
<!-- sig -->
|
|
|
|
<!-- end 8 -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> <P>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 1999, James T. Dennis
|
|
<BR>Published in <I>The Linux Gazette</I> Issue 37 February 1999</H5>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<P align="center">
|
|
<table width="98%"><tr valign="center" align="center">
|
|
<td rowspan="3" colspan="4"><A HREF="../lg_answer37.html"><IMG
|
|
SRC="../../gx/dennis/answernew.gif"
|
|
ALT="[ Answer Guy Index ]"></A></td>
|
|
<TD width="8%"><A HREF="./1.html">1</A></TD>
|
|
<TD width="8%"><A HREF="./2.html">2</A></TD>
|
|
<TD width="8%"><A HREF="./3.html">3</A></TD>
|
|
<TD width="8%"><A HREF="./4.html">4</A></TD>
|
|
<TD width="8%"><A HREF="./5.html">5</A></TD>
|
|
<TD width="8%"><A HREF="./6.html">6</A></TD>
|
|
<TD width="8%"><A HREF="./7.html">7</A></TD>
|
|
<TD width="8%"><A HREF="./8.html">8</A></TD>
|
|
<TD width="8%"><A HREF="./9.html">9</A></TD>
|
|
<TD width="8%"><A HREF="./10.html">10</A></TD>
|
|
|
|
</tr><tr valign="center" align="center">
|
|
<TD><A HREF="./11.html">11</A></TD>
|
|
<TD><A HREF="./12.html">12</A></TD>
|
|
<TD><A HREF="./14.html">14</A></TD>
|
|
<TD><A HREF="./15.html">15</A></TD>
|
|
<TD><A HREF="./16.html">16</A></TD>
|
|
<TD><A HREF="./17.html">17</A></TD>
|
|
<TD><A HREF="./18.html">18</A></TD>
|
|
<TD><A HREF="./19.html">19</A></TD>
|
|
<TD><A HREF="./21.html">21</A></TD>
|
|
<TD><A HREF="./22.html">22</A></TD>
|
|
|
|
</tr><tr valign="center" align="center">
|
|
<TD><A HREF="./23.html">23</A></TD>
|
|
<TD><A HREF="./28.html">28</A></TD>
|
|
<TD><A HREF="./29.html">29</A></TD>
|
|
<TD><A HREF="./30.html">30</A></TD>
|
|
<TD><A HREF="./31.html">31</A></TD>
|
|
<TD><A HREF="./32.html">32</A></TD>
|
|
<TD><A HREF="./33.html">33</A></TD>
|
|
<TD><A HREF="./34.html">34</A></TD>
|
|
<TD><A HREF="./37.html">37</A></TD>
|
|
<TD><A HREF="./38.html">38</A></TD>
|
|
|
|
</tr><tr valign="center" align="center">
|
|
<TD><A HREF="./39.html">39</A></TD>
|
|
<TD><A HREF="./41.html">41</A></TD>
|
|
<TD><A HREF="./42.html">42</A></TD>
|
|
<TD><A HREF="./43.html">43</A></TD>
|
|
<TD><A HREF="./44.html">44</A></TD>
|
|
<TD><A HREF="./45.html">45</A></TD>
|
|
<TD><A HREF="./46.html">46</A></TD>
|
|
<TD><A HREF="./47.html">47</A></TD>
|
|
<TD><A HREF="./48.html">48</A></TD>
|
|
<TD><A HREF="./49.html">49</A></TD>
|
|
|
|
</tr></table>
|
|
</P>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<P> <hr> <P>
|
|
<!-- begin lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<A HREF="../index.html"
|
|
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
|
|
<A HREF="../../index.html"
|
|
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
|
|
<A HREF="../lg_bytes37.html"
|
|
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
|
|
<A HREF="../york.html"
|
|
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
|
|
<!-- end lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|