rsh/rlogin PAM issue after upgrading to SLES 11 SP3

Hi,

Somehow rlogin/rsh stopped working after upgrading to SLES 11 SP3. (It was working fine before the upgrade)

It’s not an xinetd issue but is a PAM issue.

I have the default rsh/rlogin PAM files as below.

cat /etc/pam.d/rsh

#%PAM-1.0
auth required pam_rhosts.so
auth required pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

cat /etc/pam.d/rlogin

#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die defau pam_securetty.so
auth sufficient pam_rhosts.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

rsh localhost

Password:
rlogin: connection closed.

tail -2 /var/log/messages

Jun 6 13:50:24 server1 in.rlogind[4735]: connect from 127.0.0.1 (127.0.0.1)
Jun 6 13:50:24 server1 rlogind[4735]: pam_rhosts(rlogin:auth): denied access to root@localhost as root

I typed in the correct password in the above example.

The same problem occurs across all the servers I’ve upgraded to SLES 11 SP3.

Whether I have .rhosts (or hosts.equiv) or not, the problem happens.

Has anyone experienced the same problem?

Thanks for your help in advance!

  • Steve

BTW, I did disable AppArmor but the problem still occurs.

chkconfig boot.apparmor

boot.apparmor off

Thanks.

  • Steve

Hi Steve,

have you tried running pam_rhosts with the “debug” option, maybe you’ll be offered a hint at any specific access validations done since SP3?

I typed in the correct password in the above example.
[…]
Whether I have .rhosts (or hosts.equiv) or not, the problem happens.

Shouldn’t you have to type in passwords at all with the proper .rhosts / /etc/hosts.equiv setup?

Maybe the file permissions of ~root/.rhosts are not restrictive enough?

Regards,
Jens

I was seeing this too after the upgrade. However, there is a patch for rsh-server that fixes the problem. Look for rsh-server-0.17-706.20.1.