Solved

ssh & rlogin work; rsh doesn't

Posted on 2004-08-05
8
1,802 Views
Last Modified: 2013-12-23
We are doing some benchmarking on a cluster running Fedora Core 1.  We're having trouble getting rsh to work. (Before anyone says anything, yes, we know rsh is insecure.  This cluster is not hooked to the net, and we just want to run some tests with rsh.) ssh and rlogin work fine, but when we use rsh, we get Connection Refused errors after a long timeout period. Here are some of the things we've checked:

/etc/hosts.allow (listed below)
/etc/hosts.deny (listed below)
/etc/xinetd.d/rsh (listed below)
that xinetd is running
that rshd is installed and turned on (see chkconfig output below)
that iptables is turned off (see chkconfig output below)

Anyone got any ideas or sugestions of other things to check?


#
# hosts.allow      This file describes the names of the hosts which are
#             allowed to use the local INET services, as decided
#            by the '/usr/sbin/tcpd' server.
#

portmap: 192.168.1.0/255.255.255.0
lockd: 192.168.1.0/255.255.255.0
mountd: 192.168.1.0/255.255.255.0
rquotad: 192.168.1.0/255.255.255.0
statd: 192.168.1.0/255.255.255.0
in.rshd: 192.168.1.0/255.255.255.0
in.rlogind: 192.168.1.0/255.255.255.0
sshd: 192.168.1.0/255.255.255.0

#
# hosts.deny      This file describes the names of the hosts which are
#            *not* allowed to use the local INET services, as decided
#            by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!

portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL
in.rshd:ALL
in.rlogind:ALL
sshd:ALL

# /etc/xinetd.d/rsh
#
# default: on
# description: The rshd server is the server for the rcmd(3) routine and, \
#      consequently, for the rsh(1) program.  The server provides \
#      remote execution facilities with authentication based on \
#      privileged port numbers from trusted hosts.
service shell
{
      socket_type            = stream
      wait                  = no
      user                  = root
      log_on_success            += USERID
      log_on_failure             += USERID
      server                  = /usr/sbin/in.rshd -h
      disable                  = no
}

Excerpted output from chkconfig --list:
iptables             0:off      1:off      2:off      3:off      4:off      5:off      6:off
xinetd               0:off      1:off      2:off      3:on      4:on      5:on      6:off
xinetd based services:
      chargen-udp:      off
      rsync:      off
      chargen:      off
      daytime-udp:      off
      daytime:      off
      echo-udp:      off
      echo:      off
      rsh:      on
      rlogin:      on
      services:      off
      time:      off
      time-udp:      off
      cups-lpd:      off
      sgi_fam:      on
      dbskkd-cdb:      off
      rexec:      off
0
Comment
Question by:jwolter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 38

Assisted Solution

by:yuzh
yuzh earned 50 total points
ID: 11732610
you need to create a .rhosts file under your home dir

eg,
user fred want to use rsh from boxA to boxB
in boxB, you need to put .rhosts file under fred's home dir,
the file format looks like:
BoxA fred

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11733201
after checking ~/.rhosts and /etc/hosts.equiv enshure yourself that there is no firewall:
   iptables -L -n && iptables -L -n -t nat && iptables -L -n -t mangle
if in doubt, post results from above command
0
 
LVL 1

Author Comment

by:jwolter
ID: 11735901
Good things to look for.  I should have mentioned those in my post, because we've already looked at them. I'm posting the results of the iptables commands since I don't know much about iptables.  

I'm trying to use tcpdump to monitor the ports and determine where the process is breaking down.  if I do tcpdump tcp port 514 on node a10 and rsh a10 pwd on node a14, I get the following response:

08:52:19.585563 a14.1023 > a10.shell: S 3028079579:3028079579(0) win 5840 <mss 1460,sackOK,timestamp 23717916 0,nop,wscale 0> (DF)
08:52:19.585605 a10.shell > a14.1023: R 0:0(0) ack 3028079580 win 0 (DF)

This sequence then repeats every second or so until it times out.  I'm not sure where to go with this, though.

---

a10> iptables -L -n && iptables -L -n -t nat && iptables -L -n -t mangle
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 51

Expert Comment

by:ahoffmann
ID: 11736211
iptables has no restrictions

silly question: does the user on a14 running rsh exist on a10? do they have the same uid?
0
 
LVL 1

Author Comment

by:jwolter
ID: 11736486
same user; same uid; same gid.  I've tried it with root and with a non-privleged user.  I've tried it between nodes.  I've tried it to the local node. None of these work.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 11736969
hmm, does netstat -an list port 514 with LISTEN on the remote machine?
0
 
LVL 1

Author Comment

by:jwolter
ID: 11737371
No! Since port 514 is the shell service in /etc/services, I assume this is a problem. Any guess how to fix this? Shouldn't xinetd be listening on this port (per the /etc/xinetd.d/rsh file listed above)?
0
 
LVL 1

Author Comment

by:jwolter
ID: 11739047
And the answer is:

I got curious so I shut down xinetd and restarted it from the command line with the debug option: /etc/rc.d/init.d/xinetd -d

In all the output, I found an error message that there were two arguments to server, when only one was expected. What it comes down to is that xinetd was barfing on the following line from /etc/xinetd.d/rsh:

     server               = /usr/sbin/in.rshd -h

It treats the "-h" as another argument.  I think it should look more like:

     server               = /usr/sbin/in.rshd
     server_args       = -h

but I haven't gotten this to work for root.  Works for non-privileged users, though!

Thanks everyone.  Time to allocate points...

0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
help Skype for Business keeps dropping 7 35
HP 2530 switch and routing 4 62
Layer 3 Switch Configuration 12 44
Citrix App 7 30
Let’s list some of the technologies that enable smooth teleworking. 
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question