Rlogin without password

Martin Siegert siegert at sfu.ca
Mon Dec 30 14:56:14 EST 2002 

On Mon, Dec 30, 2002 at 10:40:17AM -0800, Trent Piepho wrote:
> On Mon, 30 Dec 2002, Frank Summers wrote:
> > 1) Add rsh and rlogin to the file /etc/securetty. Just add two lines to
> > the end of the file with "rsh" on one and "rlogin" on the other.
> 
> Accoring to the securetty(5) and login(1) man pages, you're just supposed to
> list tty devices from /dev, there's nothing about "rsh" or "rlogin" being
> valid.  I added ttyp[0-5], which is somewhat sub-optimal since root won't be
> allowed to login if the first six pseudo-ttys are already in use, though in
> practice that hasn't been a problem.  Do you know where you found out about
> adding "rsh" as a tty?  That's sounds like a much better way to do it if it
> really works.

>From /etc/pam.d/rsh on a RH 7.3 box:

#%PAM-1.0
# For root login to succeed here with pam_securetty, "rsh" must be
# listed in /etc/securetty.
auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_env.so
auth       required     /lib/security/pam_rhosts_auth.so
...

Thus, the "rsh" string in /etc/securetty is only required for allowing
root rsh access. For all other users it is sufficient to 
1) setup /etc/hosts.equiv
2) change the pam_rhosts_auth line in /etc/pam.d/rsh to
auth       sufficient   /lib/security/pam_rhosts_auth.so
3) enable rsh in /etc/xinetd.d/rsh
4) allow you private cluster network through the firewall, e.g.,
-A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT
in /etc/sysconfig/ipchains assuming that eth1 is the interface to
the private network of the cluster nodes.

For root to succeed you can either add "rsh" to /etc/securetty
(which is what I do, but only on the nodes on the private network,
not on the main node that has an interface to the world) or remove
the pam_securetty.so line in /etc/pam.d/rsh.

Martin

========================================================================
Martin Siegert
Academic Computing Services                        phone: (604) 291-4691
Simon Fraser University                            fax:   (604) 291-4242
Burnaby, British Columbia                          email: siegert at sfu.ca
Canada  V5A 1S6
========================================================================

_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf

More information about the Beowulf mailing list