topic Re: ignite without rexec in Operating System - HP-UX

ignite without rexec

Donny Jekels — Tue, 30 Sep 2003 12:20:40 GMT

Was anyone able to get "Ignite UX" to work without rexec?

Re: ignite without rexec

Pete Randall — Tue, 30 Sep 2003 12:22:25 GMT

Donny,

I assume you're referring to make_net_recovery. Make_tape_recovery seems to work just fine.

Pete

Re: ignite without rexec

Donny Jekels — Tue, 30 Sep 2003 12:33:01 GMT

nope. not even there yet. trying to add a client to our ignite server, so I can push out the new Ignite client software.

#rexec is commented out in /etc/inetd.conf

Re: ignite without rexec

Pete Randall — Tue, 30 Sep 2003 12:36:40 GMT

Donny,

Maybe SEP will pipe in here. He does a lot with Ignite and I know he abhors the "r" commands.

Pete

Re: ignite without rexec

Donny Jekels — Tue, 30 Sep 2003 12:42:02 GMT

Pete thanks, I read some of SEP's threads yes maybe he can help.

Re: ignite without rexec

Alzhy — Tue, 30 Sep 2003 12:47:28 GMT

If Ignite's compnents are configurable.. perhaps it can use SSH to do its thing?...

Re: ignite without rexec

Pete Randall — Tue, 30 Sep 2003 12:48:06 GMT

Donny,

I sent him an e-mail. He's been quiet the last couple of hours but I'm sure he'll jump in when he can.

Pete

Re: ignite without rexec

Steven E. Protter — Tue, 30 Sep 2003 12:54:24 GMT

Hi,

I was doing some yucky work. Budgets are due today at 5 p.m. Plus trying to spend last years money.

To my knowledge, and I've had a few support calls with HP on this, the Berkley protocols, including rexec are required to run an Ignite/UX server.

I have contacted HP and said that its an important Ignite enhancement to integrate this product with ssh.

How I handle this obvious security problem is as follows:

The Ignite Server has the protocols enabled in inetd.conf. It has no .rhosts file and it has an /etc/hosts.equiv file authorizing Ignite clients by IP address.

This enables make_net_recovery jobs to be run out of cron by my two production servers to the Ignite Server.

Those two servers, Ignite clients have the Berkley r-protocols commented out in inetd.conf. When I need to do DR or push a new image out to those servers, I uncomment the entries save the file and run ientd -c

This is still a problem, I'd rather not run this way. I read the docs on Ignite 4.3 and see no indication that ssh is supported.

SEP

Re: ignite without rexec

Donny Jekels — Tue, 30 Sep 2003 12:58:04 GMT

yuck! Thanks guys.

Re: ignite without rexec

Donny Jekels — Tue, 30 Sep 2003 13:01:09 GMT

quick refresher.

inetd -c does not drop existing connections, or does it?

Re: ignite without rexec

Steven E. Protter — Tue, 30 Sep 2003 13:03:52 GMT

No, existing connections will stay open.

inetd -k will stop new connections, not disrupt existing ones.

SEP

Re: ignite without rexec

Donny Jekels — Tue, 30 Sep 2003 13:05:09 GMT

yet another work around.

Okay thank you.
peace
Donny

Re: ignite without rexec

Jeff Schussele — Tue, 30 Sep 2003 13:10:23 GMT

Hi Guys,

Here we set up /var/adm/inetd.sec to allow access ONLY from the Ignite server(s).
Corp Security has blessed this, but like us, would rather disable r commands altogether.

Rgds,
Jeff

Re: ignite without rexec

Donny Jekels — Tue, 30 Sep 2003 13:12:31 GMT

Jeff,

this sounds like a great idea. send more info please.

Thanks Donny

Re: ignite without rexec

Steven E. Protter — Tue, 30 Sep 2003 13:18:08 GMT

Here is an ientd.sec example.

ftp allow 10.1.* 10.1.11.* prod tzfat hebron
tftp allow 192.168.* 10.1.* jufprod jufdev hebron moriah
login allow 10.1.* 10.85.* 10.1.31.* 10.4* jufprod hebron moriah jufdev
telnet allow 10.1.* 10.85.* 10.1.31.* 10.4* prod hebron moriah

There are few limits on what you can do with this file, it can be very precise and limit the chance that outsiders will get in.

SEP

Re: ignite without rexec

Donny Jekels — Tue, 30 Sep 2003 13:25:14 GMT

does this mean i can add one entry for my ignite server - say

/var/adm/inetd.sec

rexec allow

how does inetd knows to run rexec if it is commented out in inetd.conf?

Re: ignite without rexec

Steven E. Protter — Tue, 30 Sep 2003 13:33:52 GMT

Donny,

There comes a time when you need to try it.

Now may be the time. I tried it and it was accepted when I ran inetd.sec

Also note, you can limit the NFS access that Ignite ALSO requires with /etc/exports.

Here is mine.

/images -anon=2,access=jufprod,access=hebron,access=tzfat

Note the access limits based on hostnames.

NFS is a problem because it transmits disk information unencrypted.

SEP

Re: ignite without rexec

Steven E. Protter — Tue, 30 Sep 2003 14:25:54 GMT

I emailed Berlene Herren on this issue. Seems she read the the thread and she answered as follows(forgive the paraphrase).

There is an enhancement request to the labs for Ignite to work with ssh.

She added our organization to the list of organizations that wants this feature.

In my opinion, the way to make this happen is for customers such as you Donny, to contact HP and make their wishes known.

I imagine based on my Ignite experience its a rather involved upgrade.

SEP

Re: ignite without rexec

Jeff Schussele — Tue, 30 Sep 2003 14:34:38 GMT

Hi Donny,

Sorry for the delayed reply - have been quite busy today.

Anyway as SEP noted you need

tftp deny
tftp allow ignite_server_ip
login deny
login allow ignite_server_ip
exec deny
exec allow ignite_server_ip

on the Ignite client as well as the Ignite server. First entry denies ALL while the second explicitly allows all servers/IPs listed. You don't need to bounce inetd as the .sec file is read at every connection attempt.

HTH,
Jeff

Re: ignite without rexec

Donny Jekels — Tue, 30 Sep 2003 15:01:56 GMT

Sure thing, I can send emails and requests to HP, if I only knew where to send it with our next SD order :-(