HPE Community
Operating System - HP-UX
1823914 Members
3202 Online
109667 Solutions
New Discussion юеВ

Re: Disabling rlogin will affect service guard?

 
Lashin
Advisor

тАО02-14-2011 10:52 PM

тАО02-14-2011 10:52 PM

Disabling rlogin will affect service guard?

hi,
I have 2 node cluster running ServiceGuard A.11.16.00 on hpux11.23.

I need to disable rlogin on both nodes for fixing security vulnerability suggested by auditors.

I can see .rhost file present on both nodes that will accept rlogin for root user from any nodes.
# cat .rhosts
+
#

there is no /etc/cmcluster/cmnodelist on both nodes

will it make any impact on service guard if i disable rlogin ?
0 Kudos
Reply
8 REPLIES 8
Kannandgl_1
Frequent Advisor

тАО02-14-2011 11:17 PM

тАО02-14-2011 11:17 PM

Re: Disabling rlogin will affect service guard?

Dear ,


The same case in our security team requested disable rlogin and remote shell exe.. etc ..last week i did its not affecting. before make changes plase take bakup of /etc/cmcluster/package file ..

Note : After i disabled the /etc/init.d services for rlogin.


Regards
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

тАО02-14-2011 11:31 PM

тАО02-14-2011 11:31 PM

Re: Disabling rlogin will affect service guard?


Just make sure that the DNS names of all the interfaces on both systems are listed in cmclnodelist

So for example if you have 2 hosts called nodeA and nodeB, and they have additional interfaces called nodeA-hb, nodeB-hb (hearbeat LAN) , and interfaces called nodeA-bu and nodeB-bu (backup LAN), then you would want the following in cmclnodelist :

nodeA root
nodeA-hb root
nodeA-bu root
nodeB root
nodeB-hb root
nodeB-bu root



HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
Lashin
Advisor

тАО02-15-2011 01:08 AM

тАО02-15-2011 01:08 AM

Re: Disabling rlogin will affect service guard?

Hi Duncan,

I dont have /etc/cmcluster/cmnodelist file on both nodes.

0 Kudos
Reply
Duncan Edmonstone
HPE Pro

тАО02-15-2011 01:32 AM

тАО02-15-2011 01:32 AM

Re: Disabling rlogin will affect service guard?

Just create it - it's only a text file.

HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
Lashin
Advisor

тАО02-15-2011 03:40 AM

тАО02-15-2011 03:40 AM

Re: Disabling rlogin will affect service guard?

Hi Duncan,

I understand that /etc/cmcluster/cmnodelist or .rhost file is used only when we apply a clusture configuration. A running cluster or packages do not read /etc/cmcluster/cmnodelist or .rhost file to login to other cluster nodes...Please correct me if i am wrong..


0 Kudos
Reply
Duncan Edmonstone
HPE Pro

тАО02-15-2011 03:58 AM

тАО02-15-2011 03:58 AM

Re: Disabling rlogin will affect service guard?

Yes IIRC that's the case, but I wouldn't want to be fiddling around creating it when I actually have changes to make. Better to put it in place now.

HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
Emil Velez
Honored Contributor

тАО02-15-2011 03:46 PM

тАО02-15-2011 03:46 PM

Re: Disabling rlogin will affect service guard?


some of the serviceguard commands will not work without a cmclnodelist

create it. It should not be a problem.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО02-15-2011 04:28 PM

тАО02-15-2011 04:28 PM

Re: Disabling rlogin will affect service guard?

>> # cat .rhosts
>> +

This is the worst possible content for root's .rhosts file on any system. It essentially says:

Trash my system, there is no security here!

If you need rlogin/remsh/rcp between two computers, put *only* those computer names and user login names in the .rhosts file. Putting + in there is the same as removing the password for root.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.