old-www/LDP/LG/issue37/tag/8.html

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.1H.i">
<TITLE>The Answer Guy 37: More on: 'rsh' as 'root' Denied</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
	LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
	<img src="../../gx/dennis/qbubble.gif" alt="(?)" 
		border="0" align="middle">
	<font color="#B03060">The Answer Guy</font>
	<img src="../../gx/dennis/bbubble.gif" alt="(!)" 
		border="0" align="middle">
</A></H1> 
<BR>
<H4>By James T. Dennis,
	<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
	Starshine Technical Services,
	<A HREF="http://www.starshine.org/">http://www.starshine.org/</A> 
</H4>
</center>

<p><hr><p>
<!--  endcut ======================================================= -->
<!-- begin 8 -->

<p>The original thread appeared in Issue 36, 
"<a href="../../issue36/tag/98.html">'rsh' as 'root' Denied</a>".</p>

<hr width="40%" align="center"><!-- ................................ -->

<H3 align="left"><img src="../../gx/dennis/qbubble.gif" 
	height="50" width="60" alt="(?) " border="0"
	>More on: 'rsh' as 'root' Denied</H3>


<p><strong>From Walt Smith  on Tue, 29 Dec 1998  
</strong></p>
<!-- ::
More on: 'rsh' as 'root' Denied
~~~~~~~~~~~~~~~~~~~~~~
:: -->
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
HI !
</STRONG></P>
<P><STRONG>
THX for the reply......
Unfortunately, I still can't -
<blockquote><code>rsh wally ls</code></blockquote>
as root.  Tried it on slackware nicely setup w/ 2.0.30
kernel.  Didn't try Red as I don't know it as well.
</STRONG></P>
<P><STRONG>
I changed the <TT>/etc/inetd.conf</TT> to read <tt>-h</tt>
starts with -
<blockquote><code>
shell stream tcp nowait root /usr/sbin/tcpd in.rshd -h
</code></blockquote>
</STRONG></P>
<P><STRONG>
I also tried <tt>-hl</tt> and <tt>-l</tt>
</STRONG></P>
<P><STRONG>
<TT>/etc/services</TT> has:
<blockquote><code>
shell  514/tcp   cmd    #no passwords used
</code></blockquote>
</STRONG></P>
<P><STRONG>
(thats the actual statement including # comment above)
</STRONG></P>
<P><STRONG>
I  had hosts.equiv text of -
<blockquote><code>
wally.bcpl.net +
</code></blockquote>
(I took hosts ISP bcpl.net and added 'wally' for my pc.)
(wally is aliased for same in file hosts)
</STRONG></P>
<P><STRONG>
MESSAGE given is -
<blockquote><code>
permission denied
</code></blockquote>
</STRONG></P>
<P><STRONG>
I also tried renaming <tt>hosts.equiv</tt> to get it out of the loop
entirely.
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
Your <TT>/etc/hosts.equiv</TT> seems to be in the wrong format.  Your
hosts.equiv should contain <EM>hostnames</EM> --- no "+" (plus)
signs or any other data.  Some versions don't seem to allow
IP addresses -- just hostnames.
</BLOCKQUOTE>
<BLOCKQUOTE>
I personally recommend that you configure such a system to
give <TT>/etc/hosts</TT> files priority over DNS --- and distribute a
good hosts file to all of the systems on this cluster.
</BLOCKQUOTE>
<BLOCKQUOTE>
Running it with the <tt>-l</tt> (disable personal <tt>.rhosts</tt> files) is
probably a good idea for a cluster.  I'd definitely put this
cluster behind a router (any Linux box with a couple of
interfaces will do) and configuring a set of packet filters
to limit outside access to services within the cluster.
</BLOCKQUOTE>
<BLOCKQUOTE>
The very least you should do with your packet filters is
"anti-spoofing" --- let's say your using the 192.168.10.*
block of addresses (from RFC1918) for your cluster nodes.
You'd put in a rule like this:
</BLOCKQUOTE>

<blockquote><pre>ipfwadm -I -o -a deny -W $exterior_interface -S 192.168.10.0/24
</pre></blockquote>
<BLOCKQUOTE>
... (as one-line, of course) to add (-a) a "firewall"
(packet filter) rule to the "incoming" (-I) table on
the interface which (-W) you've named which will "deny"
any packet that purports to have a source (-S) address
that's supposed to be assigned to one of your internal
cluster nodes.  The -o in this rules specifies that any
packets matching the rule ("caught by it") should generate
"output" to the syslogs.  You can then filter/monitor your
syslog for attempts to violate your policy.
</BLOCKQUOTE>
<BLOCKQUOTE>
This affords only a tiny measure of protection over all.
However, it is better than nothing.  If a group of machines
will have a trust relationship based on their IP addresses
--- you much ensure that your routers into that LAN segment
won't blithely allow "imposter" packets through.
</BLOCKQUOTE>
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
By the way, bcpl.net is Baltimore County Public Library.
Their accounts are $100/year unlimited time, with ppp,
telnet to sun shell $, ftp, and 5 megs for email/and/or
web page !! Such a deal !!!
</STRONG></P>
<P><STRONG>
see <a href="http://www.bcpl.net/~waltech/">www.bcpl.net/~waltech/</a> 
if curious, which I doubt....
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
I'll leave in the plug.  Normally I filter out
identifying information from messages before posting
them to the Linux Gazette.  This is to protect your
privacy (and limit the amount of spam that would
be sent to my correspondents).
</BLOCKQUOTE>
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
Never programmed in bcpl .... thats a golden oldie, right ??
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
Yes, it pre-dated B which was the predecessor to C.
Some have argued that the next programming language in
the evolution of this family should therefore be "P"
--- then "L" 
<IMG SRC="../../gx/dennis/smily.gif" ALT=";)" 
		height="24" width="20" align="middle">
</BLOCKQUOTE>
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
I want to use rsh because I want to get a small experimental Beowulf
going, and this tidbit is neglected everywhere I've checked.  Did I
muck something ????????????????
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
It looks to me like you put extra stuff on your hosts.equiv
lines.  A "+" on a line by itself would be a "wildcard"
allowing in "all" hosts (which is every bit as stupid as
it sounds --- and was the default for SunOS and Solaris
for many years)!
</BLOCKQUOTE>
<BLOCKQUOTE>
I think the versions of in.rshd and the related daemons
that are commonly shipped with Linux (different versions
for different distributions --- most are BSD or Wietse
Venama 'logdaemon' based) will ignore such wildcards.
</BLOCKQUOTE>
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
	HEIGHT="28" WIDTH="50" BORDER="0"
	>
THX for any help !
</STRONG></P>
<P><STRONG>
regards,
<br>Walt Smith
</STRONG></P>
<!-- sig -->

<!-- end 8 -->
<!--startcut ======================================================= -->
<P> <hr> <P>
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
	>Copyright &copy;</a> 1999, James T. Dennis 
<BR>Published in <I>The Linux Gazette</I> Issue 37 February 1999</H5>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<P align="center">
<table width="98%"><tr valign="center" align="center">
<td rowspan="3" colspan="4"><A HREF="../lg_answer37.html"><IMG
        SRC="../../gx/dennis/answernew.gif"
        ALT="[ Answer Guy Index ]"></A></td>
  <TD width="8%"><A HREF="./1.html">1</A></TD>
  <TD width="8%"><A HREF="./2.html">2</A></TD>
  <TD width="8%"><A HREF="./3.html">3</A></TD>
  <TD width="8%"><A HREF="./4.html">4</A></TD>
  <TD width="8%"><A HREF="./5.html">5</A></TD>
  <TD width="8%"><A HREF="./6.html">6</A></TD>
  <TD width="8%"><A HREF="./7.html">7</A></TD>
  <TD width="8%"><A HREF="./8.html">8</A></TD>
  <TD width="8%"><A HREF="./9.html">9</A></TD>
  <TD width="8%"><A HREF="./10.html">10</A></TD>

</tr><tr valign="center" align="center">
  <TD><A HREF="./11.html">11</A></TD>
  <TD><A HREF="./12.html">12</A></TD>
  <TD><A HREF="./14.html">14</A></TD>
  <TD><A HREF="./15.html">15</A></TD>
  <TD><A HREF="./16.html">16</A></TD>
  <TD><A HREF="./17.html">17</A></TD>
  <TD><A HREF="./18.html">18</A></TD>
  <TD><A HREF="./19.html">19</A></TD>
  <TD><A HREF="./21.html">21</A></TD>
  <TD><A HREF="./22.html">22</A></TD>

</tr><tr valign="center" align="center">
  <TD><A HREF="./23.html">23</A></TD>
  <TD><A HREF="./28.html">28</A></TD>
  <TD><A HREF="./29.html">29</A></TD>
  <TD><A HREF="./30.html">30</A></TD>
  <TD><A HREF="./31.html">31</A></TD>
  <TD><A HREF="./32.html">32</A></TD>
  <TD><A HREF="./33.html">33</A></TD>
  <TD><A HREF="./34.html">34</A></TD>
  <TD><A HREF="./37.html">37</A></TD>
  <TD><A HREF="./38.html">38</A></TD>

</tr><tr valign="center" align="center">
  <TD><A HREF="./39.html">39</A></TD>
  <TD><A HREF="./41.html">41</A></TD>
  <TD><A HREF="./42.html">42</A></TD>
  <TD><A HREF="./43.html">43</A></TD>
  <TD><A HREF="./44.html">44</A></TD>
  <TD><A HREF="./45.html">45</A></TD>
  <TD><A HREF="./46.html">46</A></TD>
  <TD><A HREF="./47.html">47</A></TD>
  <TD><A HREF="./48.html">48</A></TD>
  <TD><A HREF="./49.html">49</A></TD>

</tr></table>
	</P>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<P> <hr> <P>
<!-- begin lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<A HREF="../index.html"
	><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
<A HREF="../../index.html"
	><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
<A HREF="../lg_bytes37.html"
	><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
<A HREF="../york.html"
	><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
<!-- end lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->