dropdown menu

NETWORK - RSH,RCP

(RLOGIN)/RSH:

"rsh hostname" (no command) talks to the rlogin daemon (port 513)
"rsh hostname command" talks to the rshd daemon (port 514)

rsh aix41 date
rsh aix41 -l root date  <--with another user
rsh aix41               <--same as rlogin aix41 (if this doesn't work "rsh aix41 date" maybe works, because different daemons

rlogin aix41 -l root

2 files will be checked for rcp, rsh, rlogin: (for root user only the 2. one)

1. /etc/hosts.equiv (on the server)
2. $HOME/.rhosts (on the server of that user who wants to run the command)

(permission should be 600 is written in docs, but for me it worked with 644)
(if goup or other have write access to these files, the file will be omitted)

If a /etc/hosts.equiv file does not exist on the remote system (or exist, but does not authorize the user), then $HOME/.rhosts file is looked at for user authentication.


1./etc/hosts.equiv
defines which client host's users are permitted to execute commands on the server without supplying a pw.
entries can be like this:
aix11                <--authorizes any user from this client to run commands
aix31 oradba         <--only this user from this client allowed
-aix11               <--denies access from a host
aix41 -sapdba        <--denies access for a user


2. $HOME/.rhosts
defines a list of client users who are not required to supply a login passw. when they execute rcp, rlogin, rsh using a server user account.
(in the .rhosts file in user's home dir server and user must exist, with that name what we want to use for login)

e.g..:
aix40.doman.com oradba
aix40.doman.com sapdba
aix40oradba
aix40 sapdba

These can be checked as well:
1. inetd.conf
    root@aix31: / # egrep 'shell|login' /etc/inetd.conf
    shell   stream  tcp6    nowait  root    /usr/sbin/rshd         rshd
    login   stream  tcp6    nowait  root    /usr/sbin/rlogind      rlogind

   rshd (shell) should be run (or rlogind (login) if we want rlogin):
    root@aix31: / # lssrc -ls inetd | egrep 'shell|login' (vagy lssrc -t shell ...)
     shell        /usr/sbin/rshd           rshd                     active
     login        /usr/sbin/rlogind        rlogind                  active

2. /etc/services (port or firewall)
    "rsh hostname" (no command) talks to the rlogin daemon (port 513)
    "rsh hostname command" talks to the rshd daemon (port 514)

     connetction refused: daemon is not running or firewall issue

3. .rhosts file
    server name shold be in correct format (probably full fqdn is needed)
    (in syslog you can check what is the name of the server which is trying to connect)
    group and other should not have write access (600 is recommended)

4. user issues
    password expired
    remotelogin attribute false for the user
    login shell is needed for the user (ksh, bash ...)

5. /etc/hosts resolves differently the name of the server on the 2 nodes

6. /etc/hosts.allow - if it exists it can block the login (/etc/hosts.deny)
    rshd : 50.20.100.48, aix01.doman.com : ALLOW

7. if it requires password:
    PAM probably has been set:
    cat /etc/security/login.cfg -> should be changed to this: auth_type = STD_AUTH

---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------

RCP:

rcp filea aix41:fileb
rcp filea root@aix41:/home/fileb
rcp -p -r aix11:dir aix41:dir        (-p preserves modification times and modes, -r recursively)

4 comments:

Anonymous said...

Hi belaz
keep getting rshd: permission denied , when I am trying run the mksysb in the nim server for a client , I can access the nim server from the client to install something , just can't access it from the NIM. Is it because NIM server and client has different domain name . nim server host name nim.xxx.com and client host name is client.yyy.com . I have checked every thing .rhosts file is right , /etc/hosts. ; /etc/netsvc.conf is set to look at the /etc/hosts. Anyone have any idea , ????

aix said...

Hi, I would suggest to check all 7 points above...and try to separate the problem somehow: is it network related (port is listening, firewall is ok...), or is it rsh related (daemon is running, config files are ok...) or user related (password expired, remote login attribute, pam config...)...if still nothing, then you can open an IBM call.

Unknown said...
This comment has been removed by the author.
Unknown said...

Hi, We have 2 AIX , 6.1 and v5.3 .
There are few support users where copy files from v6.1 to v5.3 using "rcp" and able to run "rlogin"

But, all remote access are blocked at /etc/hosts.equiv and doesn't exists any .rhosts at v5.3
This users have the "security" group. This is enough to allow this remote access ?
Can you point to me where is this documented? I'm looking for and found nothing so far.