Getting RSH on Linux to work like RSH on Solaris

If you’ve tried setting up rsh/rlogin based hacker challenges on Linux over the last few years you’ve probably noticed that Linux (I tried Redhat and Debian) doesn’t behave like Solaris.  This makes either for really bad hacker challenges, or for ones involving lots of Solaris boxes.

I finally found the answer recently so thought I’d post the answer incase it helps anyone else afflicted by this puzzle.

The Problem

If you set up a server (say 10.0.0.1) and create a user (ptm) with an insecure .rhosts file (“+ +”) you find that you can’t abuse this account as planned:

$ rsh -l ptm 10.0.0.1 id
Permission denied.
$ rlogin -l ptm 10.0.0.1
Password:

This is not how it works on Solaris, and it’s probably not what you want for your hacker challenge.  + is supposed to be a wild card.  The first + in the .rhosts file means any source IP can log in.  The second + means that any source username can log in.

You’ll find entries like the following in /var/log/auth.log:

Jan 11 20:17:47 debian pam_rhosts_auth[3423]: denied to foo@10.0.0.1 as ptm: access not allowed
Jan 11 20:17:47 debian in.rshd[3423]: rsh denied to foo@192.168.20.1 as ptm: Permission denied

There’s the clue, then.  PAM is unhappy and has denied our login attempt.

The Solution

I found this post by Nalin Dahyabhai who notes that you simply need to pass the”promiscuous” option to pam_rhosts_auth.so:

debian:/etc/pam.d# cat rsh
auth    required        pam_nologin.so
auth    required        pam_env.so
auth    required        pam_rhosts_auth.so promiscuous
account required        pam_unix_acct.so
session required        pam_unix_session.so

You should also do this for /etc/pam.d/rlogin.

RSH and RLogin will then work like Solaris, e.g. if user ptm has an entry like the following in ~/.rhosts:

+ +

The following commands now work:

$ rsh -l ptm 10.0.0.1 id
$ rlogin -l ptm 10.0.0.1

 

 

Tags: , , ,

Posted in Blog