rsh/rlogin PAM issue after upgrading to SLES 11 SP3

yssong · June 6, 2014, 11:54pm

Hi,

Somehow rlogin/rsh stopped working after upgrading to SLES 11 SP3. (It was working fine before the upgrade)

It’s not an xinetd issue but is a PAM issue.

I have the default rsh/rlogin PAM files as below.

cat /etc/pam.d/rsh

#%PAM-1.0
auth required pam_rhosts.so
auth required pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

cat /etc/pam.d/rlogin

#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die defau pam_securetty.so
auth sufficient pam_rhosts.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

rsh localhost

Password:
rlogin: connection closed.

tail -2 /var/log/messages

Jun 6 13:50:24 server1 in.rlogind[4735]: connect from 127.0.0.1 (127.0.0.1)
Jun 6 13:50:24 server1 rlogind[4735]: pam_rhosts(rlogin:auth): denied access to root@localhost as root

I typed in the correct password in the above example.

The same problem occurs across all the servers I’ve upgraded to SLES 11 SP3.

Whether I have .rhosts (or hosts.equiv) or not, the problem happens.

Has anyone experienced the same problem?

Thanks for your help in advance!

Steve

yssong · June 7, 2014, 12:34am

BTW, I did disable AppArmor but the problem still occurs.

chkconfig boot.apparmor

boot.apparmor off

Thanks.

Steve

Jens-U · June 10, 2014, 1:52am

Hi Steve,

have you tried running pam_rhosts with the “debug” option, maybe you’ll be offered a hint at any specific access validations done since SP3?

I typed in the correct password in the above example.
[…]
Whether I have .rhosts (or hosts.equiv) or not, the problem happens.

Shouldn’t you have to type in passwords at all with the proper .rhosts / /etc/hosts.equiv setup?

Maybe the file permissions of ~root/.rhosts are not restrictive enough?

Regards,
Jens

BDBeveridge · April 29, 2015, 6:54pm

I was seeing this too after the upgrade. However, there is a patch for rsh-server that fixes the problem. Look for rsh-server-0.17-706.20.1.

Topic		Replies	Views
Cannot use rcp or rlogin on SLES 10 SP 3 SLES Configure-Administer	2	182	October 23, 2011
passwordless rsh and rlogin SLES Configure-Administer	1	250	January 20, 2014
Cannot log into LDAP/eDirectory from a SLES 11 -machine SLES Configure-Administer	3	278	September 23, 2011
SLES 10 SP4 update to SLES 11 SP1 Cannot Authenticate SLES Updates	2	200	April 9, 2013
Winbind / PAM insufficient restrictions SLES Configure-Administer	1	207	July 20, 2015