Getting RSH on Linux to work like RSH on Solaris

If you’ve tried setting up rsh/rlogin based hacker challenges on Linux over the last few years you’ve probably noticed that Linux (I tried Redhat and Debian) doesn’t behave like Solaris.  This makes either for really bad hacker challenges, or for ones involving lots of Solaris boxes.

I finally found the answer recently so thought I’d post the answer incase it helps anyone else afflicted by this puzzle.

The Problem

If you set up a server (say and create a user (ptm) with an insecure .rhosts file (“+ +”) you find that you can’t abuse this account as planned:

$ rsh -l ptm id
Permission denied.
$ rlogin -l ptm

This is not how it works on Solaris, and it’s probably not what you want for your hacker challenge.  + is supposed to be a wild card.  The first + in the .rhosts file means any source IP can log in.  The second + means that any source username can log in.

You’ll find entries like the following in /var/log/auth.log:

Jan 11 20:17:47 debian pam_rhosts_auth[3423]: denied to foo@ as ptm: access not allowed
Jan 11 20:17:47 debian in.rshd[3423]: rsh denied to foo@ as ptm: Permission denied

There’s the clue, then.  PAM is unhappy and has denied our login attempt.

The Solution

I found this post by Nalin Dahyabhai who notes that you simply need to pass the”promiscuous” option to

debian:/etc/pam.d# cat rsh
auth    required
auth    required
auth    required promiscuous
account required
session required

You should also do this for /etc/pam.d/rlogin.

RSH and RLogin will then work like Solaris, e.g. if user ptm has an entry like the following in ~/.rhosts:

+ +

The following commands now work:

$ rsh -l ptm id
$ rlogin -l ptm



Leave a Reply