Enable rsh/rlogin/rexec in Linux

HowTo - rsh, rlogin, rexec
-- for Red Hat Linux distributions --

Karel Zak <kzakredhat.com>
13-Dec-2004

I. Enable rsh (or rlogin, ...)

Install rsh-server*.rpm at first.

1) /etc/xinetd.d/rsh

service shell { socket_type = stream wait = no user = root log_on_success += USERID log_on_failure += USERID server = /usr/sbin/in.rshd disable = no } The option " disable " set to "no".

2) Restart your "xinetd" daemon:

service xinetd restart

3) /etc/securetty
Don't forget check if "rsh" (or "rlogin", ...) is there.

4) Check connection from server to client.
All r[sh | login | exec] utils use two connections. One from client to server and second from server to client.

- check you client side iptables (firewall, NAT, ...)

5) Check if you server is able to convert client IP address to hostname.

- check DNS or /etc/hosts

6) Check your ~/.rhosts

- the best file permissions are "-rw-------"
- the client hostname must be full hostname, an example: foo.bar.com zakkr

7) Check your /etc/pam.d/rsh (or rlogin, ...)

- for example module "pam_nologin.so" can disable login if the file/etc/nologinexists. For more details read /usr/share/doc/pam-0.77/txts/README.pam_nologin

8) Never change /etc/pam.d/rsh to use somethimeg other than:

auth required pam_rhosts_auth.so The client-server "rsh" protocol is not designed for other authentication than by .rhost files. For example pam_stack.so in section "auth" can corrupt the client/server connection if the "login" program sends password prompt to client. If you need authentication by password use "rlogin" or "ssh".

II. Notes

1) "rsh" with and without <command> are not same commands

"/usr/bin/rsh <host>" = is same as "rlogin <host>". It means you need to enabled "rlogin" on server!
"/usr/bin/rsh <host> <command> = this is normal "rsh"

2) In the Red Hat distributions you can found kerberosized versions of "rsh" (or "rlogin", ...).

"rsh" without exact path can be interpreted as "/usr/kerberos/bin/rsh".

If you don't need the kerberized version it is better to use absolute path to rsh. You will save yourself the kerberos checking and an execution of the original "rsh" if the kerberos auth fails.

III. Limits

1) The number of privileged ports is limited.The rsh (or rlogin, rcp, ...) uses privileged ports 512-1023. If all ports are used there is no space for a new connection. To check your server's ports status do:

netstat -n --inet

2) TCP/IP connections doesn't end instantly but uses the TIME_WAIT state.The timeout of this state is cca 60s. It's possible that all your reserved ports are in TIME_WAIT state if you use connect and disconnect to server very very often.

IV. Troubleshooting

1) Check /var/log/messages. You can found there a lot of interesing information.

2) Your friend is "strace" program.

a) client: strace -f -o rsh-client.strace /usr/bin/rsh <host> <command> Don't forget to user the "-f: option, it's important.

b) server:

- create shell script "/root/rsh-strace.sh"

#!/bin/bash /usr/bin/strace -f -o /tmp/rsh-server.trace /usr/sbin/in.rshd - change your /etc/xinetd.d/rsh service shell { socket_type = stream wait = no user = root log_on_success += USERID log_on_failure += USERID server = /root/rsh-strace.sh #/usr/sbin/in.rshd disable = no } The " server " option should be the path to the strace script.

- restart xinetd daemon

3) Reports bugs tohttp://bugzilla.redhat.com
It is a good idea to append the strace output to your bug report.