rsh promiscuous mode not a recognized option in lenny (rsh-server 0.17-14)?

[eclypse80]

Yes, my company uses rsh still on our linux cluster, and are supporting passwordless rsh. In lenny, I'm finding that previous means to allow passwordless logins are not working.

I've added + to /etc/hosts.equiv

Code:

# /etc/hosts.equiv: list  of  hosts  and  users  that are granted "trusted" r
#                   command access to your system .
#
#
+

and added the promiscuous and hosts_equiv_rootok options as I've done before:

Code:

# cat /etc/pam.d/rsh
#
# The PAM configuration file for the rsh (Remote Shell) service
#
# Due to limitations in the rsh protocol, modules depending on the conversation
# function to work cannot be used.  This includes authentication modules such
# as pam_unix.so.

auth    required        pam_warn.so
auth    required        pam_rhosts_auth.so promiscuous hosts_equiv_rootok
auth    required        pam_nologin.so
auth    required        pam_env.so
account required        pam_unix_acct.so
session required        pam_unix_session.so

However, looking at /var/log/auth.log, I see the following:

Code:

Nov 25 09:31:15 rshserverhostname rshd[11918]: pam_warn(rsh:auth): function=[pam_sm_authenticate] service=[rsh] terminal=[tty] user=[myusername] ruser=[myusername] rhost=[rshclienthostname]
Nov 25 09:31:15 rshserverhostname rshd[11918]: pam_rhosts_auth(rsh:auth): unrecognized option 'promiscuous'
Nov 25 09:31:15 rshserverhostname rshd[11918]: pam_rhosts_auth(rsh:auth): unrecognized option 'hosts_equiv_rootok'
Nov 25 09:31:15 rshserverhostname rshd[11918]: pam_rhosts_auth(rsh:auth): denied access to myusername@rshclienthostname as myusername
Nov 25 09:31:15 rshserverhostname rshd[11918]: rsh denied to myusername@rshclienthostname as myusername: Permission denied.

Did support for the promiscuous and pam_rhosts_auth options get removed in rsh-server 0.17-14? I can't seem to find anything about this change in my Google searches

[eclypse80]

I should learn to RTFM . This explains that the module was dropped, but not sure yet how to resolve this...

Code:

# zcat /usr/share/doc/libpam-modules/NEWS.Debian.gz
pam (0.99.10.0-1) unstable; urgency=low

  * pam_rhosts_auth module obsolete

    The pam_rhosts_auth module has been dropped upstream in favor of the
    more featureful and better-maintained pam_rhosts module.  To ease the
    transition to pam_rhosts, a compatibility symlink has been provided to
    map pam_rhosts_auth to pam_rhosts on your system; however, pam_rhosts
    doesn't support all of the same module options and the compatibility
    symlink will be dropped in a future release.  You should update any
    configs to use pam_rhosts instead of pam_rhosts_auth as soon as possible.

    For information on using pam_rhosts, see the pam_rhosts(8) manpage.

[eclypse80]

Tada!! Use the pam_permit "promiscuous" module instead.

6.24.pam_permit - the promiscuous module

Code:

# cat /etc/pam.d/rsh
#
# The PAM configuration file for the rsh (Remote Shell) service
#
# Due to limitations in the rsh protocol, modules depending on the conversation
# function to work cannot be used.  This includes authentication modules such
# as pam_unix.so.

auth required pam_warn.so
auth required pam_permit.so
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix_acct.so
session required pam_unix_session.so

Bingo!

Code:

[rshclienthostname:/home/myusername]108 % rsh rshserverhostname uptime
 10:39:54 up 5 days, 17:12,  3 users,  load average: 0.00, 0.00, 0.00

Hopefully this thread will save someone else from hours of research

[linuxisgreat]

thanks for this , has certainly helped someone three years on!

[Irithori]

Personally I get shivers from reading this "allow everything for anyone" approach.
Especially, as it´s not too difficult to have a key authenticating sshd in place.

But your usecase may differ, so have fun