Debugging rsh,rcp,rlogin and rdist Permission Denied Problems
How can you debug problems occuring when attempting various remote commands; ie, rsh,rcp,rexec,rlogin and rdist?
Here is an example, using rcp, of an error that often shows up with the remote commands.
rcp 0826-813 - permission denied
--------------------------------------------------------------------------------
Setup and debug procedure
Setup for the use of these commands requires setting up a .rhost file or a host.equiv file. Remote commands include: rsh, rcp, rlogin, and rdist.
Two key points for making this work are: 1) verifying permissions and content of relevant files, and 2) verifying forward and reverse name resolution between the two systems. The two files that can be used are the $HOME/.rhosts or the /etc/hosts.equiv. The permissions should be 600.
The contents include the hostname of the machine you are coming from and the username you are logging in as. Check out the man page for additional information on formats for these files. The files should reside on the server in the remote command operation.
To check forward/reverse name resolution, use the host command. Check by the hostname and IP address. See the example below:
Example
You want to rsh from fozzie to bert and run the date command as root.
On fozzie:
# rsh bert date
#rshd: 0826-813 Permission is denied.
On bert:
(Check the contents of the r command file)
# cat /.rhosts |grep fozzie
#fozzie root
(that's correct, has hostname of client and username coming in as)
# ls -l /.rhosts
# -rw------- (600 for permissions, which is correct)
# cat /etc/netsvc.conf
# hosts=local,bind4
(Tells us resolution will check local /etc/hosts then go out to DNS).
# cat /etc/hosts |grep fozzie
# not found (So bert will resolve fozzie via DNS)
# host fozzie
#fozzie.test.com is 10.1.4.18
# host 10.1.4.18
#fozzie.test.com is 10.1.4.18
The information for fozzie does not match up with what is contained within the .rhosts file. To correct this, you can either edit the /etc/hosts with the shortname for fozzie (i.e., the hostname without the domain name) OR the .rhosts file with the longname for fozzie. To be consistent with the /etc/netsvc.conf, edit the /etc/hosts:
# vi /etc/hosts
added in: 10.1.4.18 fozzie
The following is displayed:
# host fozzie
fozzie is 10.1.4.18
# host 10.1.4.18
fozzie is 10.1.4.18
Now back on fozzie:
# rsh bert date
#Tue May 21 10:16:39 CDT 2004
--------------------------------------------------------------------------------
Debugging using the "who am i" command
Another way to debug name resolution issue dealing with remote commands is using the who am i command.
Example
telnet or rlogin from fozzie to bert (source to target) and run the command, "who am i":
#who am i
#root pts/0 Sep 21 10:18 (10.1.4.18)
This shows I am root and I came from IP address 10.1.4.18 which is how bert is resolving fozzie, not by name but by ip address. To run the remote commands from fozzie to bert, the .rhosts file on bert must specify how bert sees fozzie, which in this example is by IP address 10.1.4.18. Therefore the .rhosts file should contain:
100.1.4.88 root
--------------------------------------------------------------------------------
Other debugging tips
Other items to check for debugging various problems with remote commands:
Check authentication:
# lsauthent-->krb5 standard AIX
may need to change to
std
# lsauthent -> blank...change to
std
# chauthent -std
# lsauthent-> Standard AIX
Check permissions on various commands.
# ls -al /usr/bin/rsh
#-r-sr-xr-x 2 root system 303506 Feb 10 14:11 /usr/bin/rsh
#ls -l /usr/sbin/rshd
#-r-sr-xr-- 1 root system 24556 Feb 10 14:12 /usr/sbin/rshd
#ls -l /usr/bin/rcp
#-r-sr-xr-x 1 root system 319972 Apr 08 2001 /usr/bin/rcp
#ls -al /usr/bin/rlogin
#-r-sr-xr-x 1 root bin 306328 Apr 10 2002 /usr/bin/rlogin
# ls -al /usr/sbin/rlogind
#-r-sr-xr-- 1 root system 33864 Jul 17 2002/usr/sbin/rlogind
all should be 4555 -r-sr-xr-x except rshd and rlogind which are 4554
How can you debug problems occuring when attempting various remote commands; ie, rsh,rcp,rexec,rlogin and rdist?
Here is an example, using rcp, of an error that often shows up with the remote commands.
rcp 0826-813 - permission denied
--------------------------------------------------------------------------------
Setup and debug procedure
Setup for the use of these commands requires setting up a .rhost file or a host.equiv file. Remote commands include: rsh, rcp, rlogin, and rdist.
Two key points for making this work are: 1) verifying permissions and content of relevant files, and 2) verifying forward and reverse name resolution between the two systems. The two files that can be used are the $HOME/.rhosts or the /etc/hosts.equiv. The permissions should be 600.
The contents include the hostname of the machine you are coming from and the username you are logging in as. Check out the man page for additional information on formats for these files. The files should reside on the server in the remote command operation.
To check forward/reverse name resolution, use the host command. Check by the hostname and IP address. See the example below:
Example
You want to rsh from fozzie to bert and run the date command as root.
On fozzie:
# rsh bert date
#rshd: 0826-813 Permission is denied.
On bert:
(Check the contents of the r command file)
# cat /.rhosts |grep fozzie
#fozzie root
(that's correct, has hostname of client and username coming in as)
# ls -l /.rhosts
# -rw------- (600 for permissions, which is correct)
# cat /etc/netsvc.conf
# hosts=local,bind4
(Tells us resolution will check local /etc/hosts then go out to DNS).
# cat /etc/hosts |grep fozzie
# not found (So bert will resolve fozzie via DNS)
# host fozzie
#fozzie.test.com is 10.1.4.18
# host 10.1.4.18
#fozzie.test.com is 10.1.4.18
The information for fozzie does not match up with what is contained within the .rhosts file. To correct this, you can either edit the /etc/hosts with the shortname for fozzie (i.e., the hostname without the domain name) OR the .rhosts file with the longname for fozzie. To be consistent with the /etc/netsvc.conf, edit the /etc/hosts:
# vi /etc/hosts
added in: 10.1.4.18 fozzie
The following is displayed:
# host fozzie
fozzie is 10.1.4.18
# host 10.1.4.18
fozzie is 10.1.4.18
Now back on fozzie:
# rsh bert date
#Tue May 21 10:16:39 CDT 2004
--------------------------------------------------------------------------------
Debugging using the "who am i" command
Another way to debug name resolution issue dealing with remote commands is using the who am i command.
Example
telnet or rlogin from fozzie to bert (source to target) and run the command, "who am i":
#who am i
#root pts/0 Sep 21 10:18 (10.1.4.18)
This shows I am root and I came from IP address 10.1.4.18 which is how bert is resolving fozzie, not by name but by ip address. To run the remote commands from fozzie to bert, the .rhosts file on bert must specify how bert sees fozzie, which in this example is by IP address 10.1.4.18. Therefore the .rhosts file should contain:
100.1.4.88 root
--------------------------------------------------------------------------------
Other debugging tips
Other items to check for debugging various problems with remote commands:
Check authentication:
# lsauthent-->krb5 standard AIX
may need to change to
std
# lsauthent -> blank...change to
std
# chauthent -std
# lsauthent-> Standard AIX
Check permissions on various commands.
# ls -al /usr/bin/rsh
#-r-sr-xr-x 2 root system 303506 Feb 10 14:11 /usr/bin/rsh
#ls -l /usr/sbin/rshd
#-r-sr-xr-- 1 root system 24556 Feb 10 14:12 /usr/sbin/rshd
#ls -l /usr/bin/rcp
#-r-sr-xr-x 1 root system 319972 Apr 08 2001 /usr/bin/rcp
#ls -al /usr/bin/rlogin
#-r-sr-xr-x 1 root bin 306328 Apr 10 2002 /usr/bin/rlogin
# ls -al /usr/sbin/rlogind
#-r-sr-xr-- 1 root system 33864 Jul 17 2002/usr/sbin/rlogind
all should be 4555 -r-sr-xr-x except rshd and rlogind which are 4554
No comments:
Post a Comment