Operating System - HP-UX
1830655 Members
10987 Online
110015 Solutions
New Discussion

11.31 can't remsh as NIS user

 
SOLVED
Go to solution
Steven Buschman_3
Frequent Advisor

11.31 can't remsh as NIS user

I've been stumped on this, and seen many ITRC posts but none have been the answer.
I need to remsh to issue commands into a 11.31 system (I understand it's insecure, etc but I need remote shell). rsh from other platforms and remsh HPUX work as root but fail as other NIS defined users. No other NIS problems, and this problem is not on older HPUX. 11.31 was installed in an insecure config, obviously since telnet and rsh work for some people.
/.rhosts and /etc/hosts.equiv are "+ +" (originally just "+") and permissions tested as 644,640,600.
All indications are this may be a Pam/Kerberos issue and I added the following 7 lines to pam.conf (rest of pam.conf unchanged)
# tail -7 /etc/pam.conf
# Added the following per HP doc B2355-91061
# to allow remsh for NIS accounts
rcomds auth required /usr/lib/security/libpam_unix.1
rcomds account required /usr/lib/security/libpam_unix.1
#
rcomds auth required /usr/lib/security/libpam_dce.1
# End of remsh/rsh and NIS modification

I read pages near 238 of
http://docs.hp.com/en/B2355-91020/B2355-91020.pdf
and see that "shell" is using standard port 514, insecure so I feel that's correct.
All other NIS items function well (telnet, automounting home, etc).

Thoughts? Additional questions?
Thanks in advance,
Steven
7 REPLIES 7
TTr
Honored Contributor

Re: 11.31 can't remsh as NIS user

Does remsh to the 11.31 server work for non root local users?

Any errors in the syslog.log on the 11.31 server from remshd?

Any errors on the remsh client?

What does the inetd.conf line look like for remshd? Did you try turning off kerberos? Did you try turning off tcp6?

So if you telnet to the 11.31 server and login as an nis user does it succeed?
Steven Buschman_3
Frequent Advisor

Re: 11.31 can't remsh as NIS user

Great questions.... here are the answers.
Since all non-root users allowed to login are in NIS, I manually added a user "junk" on this system and my test client and that also failed.

Syslog error:
remshd[10993]: load_modules: can not open module /usr/lib/security/libpam_unix.so.1
remshd[10993]: PAM Status - 1, PAM Error Message - Shared object load failure
---
Link libpam_unix.so.1 does exist and points to libpam_unix.1

The remsh client gets the error:
remshd: Login incorrect

inetd.conf entries:
# grep remsh /etc/inetd.conf
shell stream tcp6 nowait root /usr/lbin/remshd remshd
#kshell stream tcp6 nowait root /usr/lbin/remshd remshd -K
kshell stream tcp6 nowait root /usr/lbin/remshd remshd

I am unsure how to turn off kerberos.
I did try the following:
remsh SERVER ls -P
as an NIS user, and it had the same error.
I've also read the 'sis' man page but still unsure how to disable kerberos.

I haven't considered tcp6, but other services with tcp6 in inetd.conf (like telnet) work fine.

telnet works fine for NIS and root.
Thanks!
Steven
DCh_2
New Member

Re: 11.31 can't remsh as NIS user

It looks like you are running trusted mode in 11.31 because the /etc/pam.conf is used. You need to allow remsh in pam.conf just like the other services are in there.
Try adding the two "rcomds" lines in /etc/pam.conf as in the bottom of
http://docs.hp.com/en/B2355-90827/ch05s02.html
You can add them together at the bottom of the file or add the "auth" line in the autentication section and the "account" line in the account management section.
I don't think you need to do anything with kerberos.
Steven Buschman_3
Frequent Advisor

Re: 11.31 can't remsh as NIS user

The additional lines didn't seem to help (and I rebooted just to make sure).
# grep rcomds /etc/pam.conf
rcomds auth required libpam_hpsec.so.1
rcomds auth required libpam_unix.so.1
rcomds account required libpam_hpsec.so.1
rcomds account required libpam_unix.so.1
rcomds session required libpam_hpsec.so.1 bypass_limit_login
rcomds session required libpam_unix.so.1
rcomds auth required /usr/lib/security/libpam_unix.1
rcomds account required /usr/lib/security/libpam_unix.1
#rcomds auth required /usr/lib/security/libpam_unix.so.1
#rcomds account required /usr/lib/security/libpam_unix.so.1
####rcomds auth required /usr/lib/security/libpam_dce.1

Other thoughts ??? Did I understand the right lines needed?
Thanks, Steven
TTr
Honored Contributor
Solution

Re: 11.31 can't remsh as NIS user

Try with only the first 6 lines in the pam.conf

rcomds auth required libpam_hpsec.so.1
rcomds auth required libpam_unix.so.1
rcomds account required libpam_hpsec.so.1
rcomds account required libpam_unix.so.1
rcomds session required libpam_hpsec.so.1 bypass_limit_login
rcomds session required libpam_unix.so.1

What is in the syslog.log now that you added these lines?
Steven Buschman_3
Frequent Advisor

Re: 11.31 can't remsh as NIS user

Bingo !!!!! That did it.
I added those 6 lines, and commented all the other rcomds lines in the file, and I'm set.
Thanks SO much TTr !
Steven
Steven Buschman_3
Frequent Advisor

Re: 11.31 can't remsh as NIS user

Closing thread, adding the 6 lines *and* commenting all other rcomds lines fixed it.