HPE Community
Operating System - HP-UX
1847488 Members
4668 Online
110265 Solutions
New Discussion

Re: ignite without rexec

 
SOLVED
Go to solution
Donny Jekels
Respected Contributor

‎09-30-2003 05:20 AM

‎09-30-2003 05:20 AM

ignite without rexec

Was anyone able to get "Ignite UX" to work without rexec?
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
21 REPLIES 21
Pete Randall
Outstanding Contributor

‎09-30-2003 05:22 AM

‎09-30-2003 05:22 AM

Re: ignite without rexec

Donny,

I assume you're referring to make_net_recovery. Make_tape_recovery seems to work just fine.


Pete


Pete
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎09-30-2003 05:33 AM

‎09-30-2003 05:33 AM

Re: ignite without rexec

nope. not even there yet. trying to add a client to our ignite server, so I can push out the new Ignite client software.

#rexec is commented out in /etc/inetd.conf
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎09-30-2003 05:36 AM

‎09-30-2003 05:36 AM

Re: ignite without rexec

Donny,

Maybe SEP will pipe in here. He does a lot with Ignite and I know he abhors the "r" commands.


Pete


Pete
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎09-30-2003 05:42 AM

‎09-30-2003 05:42 AM

Re: ignite without rexec

Pete thanks, I read some of SEP's threads yes maybe he can help.
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Alzhy
Honored Contributor

‎09-30-2003 05:47 AM

‎09-30-2003 05:47 AM

Re: ignite without rexec

If Ignite's compnents are configurable.. perhaps it can use SSH to do its thing?...
Hakuna Matata.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎09-30-2003 05:48 AM

‎09-30-2003 05:48 AM

Re: ignite without rexec

Donny,

I sent him an e-mail. He's been quiet the last couple of hours but I'm sure he'll jump in when he can.


Pete


Pete
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-30-2003 05:54 AM

‎09-30-2003 05:54 AM

Solution

Re: ignite without rexec

Hi,

I was doing some yucky work. Budgets are due today at 5 p.m. Plus trying to spend last years money.

To my knowledge, and I've had a few support calls with HP on this, the Berkley protocols, including rexec are required to run an Ignite/UX server.

I have contacted HP and said that its an important Ignite enhancement to integrate this product with ssh.

How I handle this obvious security problem is as follows:

The Ignite Server has the protocols enabled in inetd.conf. It has no .rhosts file and it has an /etc/hosts.equiv file authorizing Ignite clients by IP address.

This enables make_net_recovery jobs to be run out of cron by my two production servers to the Ignite Server.

Those two servers, Ignite clients have the Berkley r-protocols commented out in inetd.conf. When I need to do DR or push a new image out to those servers, I uncomment the entries save the file and run ientd -c

This is still a problem, I'd rather not run this way. I read the docs on Ignite 4.3 and see no indication that ssh is supported.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Donny Jekels
Respected Contributor

‎09-30-2003 05:58 AM

‎09-30-2003 05:58 AM

Re: ignite without rexec

yuck! Thanks guys.
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎09-30-2003 06:01 AM

‎09-30-2003 06:01 AM

Re: ignite without rexec

quick refresher.

inetd -c does not drop existing connections, or does it?
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-30-2003 06:03 AM

‎09-30-2003 06:03 AM

Re: ignite without rexec

No, existing connections will stay open.

inetd -k will stop new connections, not disrupt existing ones.


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Donny Jekels
Respected Contributor

‎09-30-2003 06:05 AM

‎09-30-2003 06:05 AM

Re: ignite without rexec

yet another work around.

Okay thank you.
peace
Donny
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎09-30-2003 06:10 AM

‎09-30-2003 06:10 AM

Re: ignite without rexec

Hi Guys,

Here we set up /var/adm/inetd.sec to allow access ONLY from the Ignite server(s).
Corp Security has blessed this, but like us, would rather disable r commands altogether.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Donny Jekels
Respected Contributor

‎09-30-2003 06:12 AM

‎09-30-2003 06:12 AM

Re: ignite without rexec

Jeff,

this sounds like a great idea. send more info please.

Thanks Donny
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-30-2003 06:18 AM

‎09-30-2003 06:18 AM

Re: ignite without rexec

Here is an ientd.sec example.

ftp allow 10.1.* 10.1.11.* prod tzfat hebron
tftp allow 192.168.* 10.1.* jufprod jufdev hebron moriah
login allow 10.1.* 10.85.* 10.1.31.* 10.4* jufprod hebron moriah jufdev
telnet allow 10.1.* 10.85.* 10.1.31.* 10.4* prod hebron moriah

There are few limits on what you can do with this file, it can be very precise and limit the chance that outsiders will get in.


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Donny Jekels
Respected Contributor

‎09-30-2003 06:25 AM

‎09-30-2003 06:25 AM

Re: ignite without rexec

does this mean i can add one entry for my ignite server - say

/var/adm/inetd.sec

rexec allow

how does inetd knows to run rexec if it is commented out in inetd.conf?
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-30-2003 06:33 AM

‎09-30-2003 06:33 AM

Re: ignite without rexec

Donny,


There comes a time when you need to try it.

Now may be the time. I tried it and it was accepted when I ran inetd.sec

Also note, you can limit the NFS access that Ignite ALSO requires with /etc/exports.

Here is mine.

/images -anon=2,access=jufprod,access=hebron,access=tzfat

Note the access limits based on hostnames.

NFS is a problem because it transmits disk information unencrypted.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Steven E. Protter
Exalted Contributor

‎09-30-2003 07:25 AM

‎09-30-2003 07:25 AM

Re: ignite without rexec

I emailed Berlene Herren on this issue. Seems she read the the thread and she answered as follows(forgive the paraphrase).

There is an enhancement request to the labs for Ignite to work with ssh.

She added our organization to the list of organizations that wants this feature.

In my opinion, the way to make this happen is for customers such as you Donny, to contact HP and make their wishes known.

I imagine based on my Ignite experience its a rather involved upgrade.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Jeff Schussele
Honored Contributor

‎09-30-2003 07:34 AM

‎09-30-2003 07:34 AM

Re: ignite without rexec

Hi Donny,

Sorry for the delayed reply - have been quite busy today.

Anyway as SEP noted you need

tftp deny
tftp allow ignite_server_ip
login deny
login allow ignite_server_ip
exec deny
exec allow ignite_server_ip

on the Ignite client as well as the Ignite server. First entry denies ALL while the second explicitly allows all servers/IPs listed. You don't need to bounce inetd as the .sec file is read at every connection attempt.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Donny Jekels
Respected Contributor

‎09-30-2003 08:01 AM

‎09-30-2003 08:01 AM

Re: ignite without rexec

Sure thing, I can send emails and requests to HP, if I only knew where to send it with our next SD order :-(
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Berlene Herren
Honored Contributor

‎10-01-2003 12:51 AM

‎10-01-2003 12:51 AM

Re: ignite without rexec

Donny, you can send security issues to mailto:security-alert@hp.com

Regards,
Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Reply
Steven Sim Kok Leong
Honored Contributor

‎10-01-2003 08:24 PM

‎10-01-2003 08:24 PM

Re: ignite without rexec

Hi,

I agree too that ssh is the way to go. The security risk with rexec is primarily in its cleartext mechanism. Authentication credentials can be sniffed along potential man-in-middle attacks compromising traffic integrity.

Possible mitigating mechanisms include:

1) Having a switched network where the Ignite server and the clients are in neighboring proximity to one another. Unless a switch port is in SPAN mode, authentication credentials cannot be sniffed.

2) If you have a VPN tunnel between the client's switched network and the Ignite server's switched network, then traffic is secured within public network.

3) Implement imperfect security by obscurity by using a high unknown port (e.g. 65432) for both rexecd and rexec. /etc/services has to be modified at both Ignite server and client ends. For someone malicious to sniff the rexec traffic, he needs to perform the extra step of probing and identifying the service running on the obscure port.

Hope this helps. Regards.

Steven Sim Kok Leong.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.