HPE Community
Operating System - HP-UX
1823959 Members
4992 Online
109667 Solutions
New Discussion юеВ

Re: remsh HPUX -> Linux

 
SOLVED
Go to solution
Charles Gaffney_1
Occasional Advisor

тАО02-12-2003 12:19 PM

тАО02-12-2003 12:19 PM

remsh HPUX -> Linux

Experts,

I am looking to use the remsh command to do fbackups from an HP 9000 to a Linux server. I have read the forums here on the setup but I must have somthing wrong. Error I recive is:
rcmd: connect: Gaff_server: Connection refused

I also don't have anything in my inetd.conf on my remote Linux server.

I am lost.
0 Kudos
Reply
15 REPLIES 15
Helen French
Honored Contributor

тАО02-12-2003 12:40 PM

тАО02-12-2003 12:40 PM

Re: remsh HPUX -> Linux

This error message indicate that there is a problem with remsh or rexec commands. Check if you can run simple commands:

# remsh hostname ls /etc
# rcp /tmp/test hostname:/tmp/

Check values entered in /var/adm/inetd.sec and /etc/inetd.conf files. Even a typo can give you this error.
Life is a promise, fulfill it!
0 Kudos
Reply
Vincent Fleming
Honored Contributor

тАО02-12-2003 12:53 PM

тАО02-12-2003 12:53 PM

Re: remsh HPUX -> Linux

You have to enable it in inetd.conf on the remote system - otherwise, it won't know what to do with the incoming connection request.

It's usually in the default /etc/inetd.conf, but commented out.

Vince
No matter where you go, there you are.
0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО02-12-2003 01:19 PM

тАО02-12-2003 01:19 PM

Re: remsh HPUX -> Linux

Ahhhh, the glory of Linux shows...

Like all systems, for password access you need a $HOME/.rhosts file, or for non root users you can use /etc/hosts.equiv

While this may be enough for you to access a HP-UX server as root, in Linux we have to take an extra step.

The knit-picker here is PAM, and not inetd/xinetd. Pam is configured in /etc/pam.d.

If you look at this directlry, you have alot of rules for every possible method of connection in nice tiny files. I.E.
% ls /etc/pam.d
apacheconf kisdndock reboot sshd
chfn kppp redhat-config-apache su
chsh kscreensaver redhat-config-date sudo
dateconfig kuser redhat-config-printer-gui system-auth
firewall-config kwuftpd redhat-config-time up2date
ftp locale_config redhat-config-users up2date-config
gdm login rexec up2date-nox
gdmconfig neat rhn_register v4l-conf
gnorpm-auth other rlogin xdm
halt passwd rp3-config xscreensaver
hwbrowser poweroff rsh xserver
internet-druid ppp samba
kbdrate printconf-gui serviceconf
kde printtool smtp

Now when you look inside these files, you will notice that for many services, auth is required. This means that even if you have a hosts.equiv, pam security says you must auth through pam.

You can not delete these lines, but do need to modify the connection methods authorization as "Optional".


I'd highly recommend you do a bit of reading on pam.

man pam.conf
and/or
info pam.conf

Also, I'd highly recommend that you backup files before you start making changes, and test each change before you reboot the system.

changes in pam control files do not require a reboot.

Lastly, if this box is on an open internet line, I'd recommend you dont change things. Get a box off the internet to do what you need.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Charles Gaffney_1
Occasional Advisor

тАО02-12-2003 01:20 PM

тАО02-12-2003 01:20 PM

Re: remsh HPUX -> Linux

Thanks. This Linux box was dropped in my lap. There is nothing in the inetd.conf file. It was 0 bytes. I tried to insert this: login stream tcp nowait username /usr/lbin/rclogind rclogind

Still get rcmd: connect: Gaff_server: Connection refused

is my inetd.conf file setup wrong?
0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО02-12-2003 01:37 PM

тАО02-12-2003 01:37 PM

Re: remsh HPUX -> Linux

The inetd.conf file will be null if you are using xinetd. The control files for this are in /etc/xinetd.d.


Since you are getting a connection refused, the xinet daemon is running just fine.

If it was not running, you would get a timeout error.

Did you take a look yet at the pam config file?

Last note, HP-UX is the only Unix that uses remsh. All other systems use rsh.

So the file you want to change is /etc/pam.d/rsh


Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Scott Corzine
Advisor

тАО02-12-2003 05:45 PM

тАО02-12-2003 05:45 PM

Re: remsh HPUX -> Linux

Hi-

A few points:

(1) A "connection refused" (for any service) is normally generated by the kernel (not xinetd/inetd) when a TCP connection is opened to a port which does not have any corresponding process listening on it (rarely this can be interface specific).

Technically, this is done by the kernel issuing a TCP RSET in response to the TCP SYN that starts the connection. There may be some other circumstances in which some clients report "Connection refused", but this is the normal case.

(2) Firewalls or routing problems will typically result in a "host unreachable", "port unreachable" (both by sending ICMP messages), or no reply at all until the connection times out (when it or the ICMP messages get blackholed). NAT devices may generate Connection refused, and I know of at least one security device which forged TCP RSET's, but that's very unusual.

(3) For some servers (sendmail, named, sshd) the listening is normally done by a long-running daemon. For others (telnet, rsh/rlogin/remsh) it is done by inetd (when listed in /etc/inetd.conf) or xinetd (when listed under /etc/xinetd.conf and /etc/xinet.d), which listens on the port, accepts the connection (causing and starts the individual daemon as needed. Note that most implementation require that you send a SIGHUP to inetd after modifying /etc/inetd.conf so that it will reread the file and start listening on the new port.

This is most likely to be your problem.

(3) Pam doesn't come into play until after the connection is accepted and it is ready to authorize the user. It is possible that a sufficiently broken pam configuration could cause the daemon to abort during its startup phase after the connection is accepted. If a daemon is really broken (high numbers of failures) inetd may temporarily disable it (check syslog for messages).

(4) The Berkeley "r" protocols (rsh/remsh, rlogin, rcp) are really, really insecure and should never be enabled on any Internet accessible host (only behind firewalls). I always advise people to use ssh (or openssh) instead, which can be turned into an almost drop-in replacement for rsh/remsh/rlogin. I don't know if HP has a distribution available, but you can always go to http://www.openbsd.org (where openssh is hosted) and download it from there. Ssh isn't perfect, but it's a lot better than rsh.

Hopefully this helps,
-Scott-
0 Kudos
Reply
Charles Gaffney_1
Occasional Advisor

тАО02-13-2003 06:25 AM

тАО02-13-2003 06:25 AM

Re: remsh HPUX -> Linux

Shannon and Scott,

Thank you both for the help. I learn more in 15 min here at the forum then any books.

Shannon,
I don???t have a /etc/pam.d/rsh file. The reading on PAM was interesting. Thanks.

Scott,

I looked in my /etc/xinetd.d directory and I have several configuration files.


total 18
-rw-r--r-- 1 root root 297 Mar 4 2002 chargen
-rw-r--r-- 1 root root 317 Mar 4 2002 chargen-udp
-rw-r--r-- 1 root root 443 Feb 21 2002 cups-lpd
-rw-r--r-- 1 root root 327 Feb 27 2002 cvs
-rw-r--r-- 1 root root 297 Mar 4 2002 daytime
-rw-r--r-- 1 root root 317 Mar 4 2002 daytime-udp
-rw-r--r-- 1 root root 289 Mar 4 2002 echo
-rw-r--r-- 1 root root 308 Mar 4 2002 echo-udp
-rw-r--r-- 1 root root 468 Feb 28 2002 fam
-rw-r--r-- 1 news news 336 Feb 22 2002 leafnode
-rw-r--r-- 1 root root 344 Feb 22 2002 linuxconf-web
-rw-r--r-- 1 root root 309 May 14 2002 proftpd-xinetd
-rw-r--r-- 1 root root 317 Mar 14 2002 rsync
-rw-r--r-- 1 root root 314 Mar 4 2002 servers
-rw-r--r-- 1 root root 312 Mar 4 2002 services
-rw-r--r-- 1 root root 355 Mar 16 2002 swat
-rw-r--r-- 1 root root 321 Mar 4 2002 time
-rw-r--r-- 1 root root 317 Mar 4 2002 time-udp

Which one do I modify?

Did I inherit a bad box or am I just missing something?
0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО02-13-2003 06:51 AM

тАО02-13-2003 06:51 AM

Re: remsh HPUX -> Linux

Scott, your presumption does not fit with Most Unices. Smart kernels are not that common. In linux, you have a smart kernel but the error returned from an empty port is not usually "connection refused", but "service not available".

Since you have no "rsh" file in your xinetd.d directory nor a /etc/pam.d/rsh, the server is not installed. Test this with the following:

% rpm -q --all | grep rsh
rsh-0.17-5
rsh-server-0.17-5

(I hope it's a Redhat system so you can use RPM anyway).

After the service is installed, it will be disabled. So modify your /etc/xinetd.d/rsh file to look like this.


vi /etc/xinetd.d/rsh
service shell
{
disable = no
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rshd
}



Then, you need to make sure that your /etc/pam.d/rsh file looks like this:
% vi /etc/pam.d/rsh

#%PAM-1.0
# For root login to succeed here with pam_securetty, "rexec" must be
# listed in /etc/securetty.
auth optional /lib/security/pam_nologin.so
auth optional /lib/security/pam_securetty.so
auth optional /lib/security/pam_env.so
auth optional /lib/security/pam_stack.so service=system-auth
account optional /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_stack.so service=system-auth


Regards,
Shannon
Microsoft. When do you want a virus today?
Reply
Charles Gaffney_1
Occasional Advisor

тАО02-13-2003 07:10 AM

тАО02-13-2003 07:10 AM

Re: remsh HPUX -> Linux

Shannon,

I tried the rpm test, it returned nothing. I then went and created the two files. I rebooted the server and presto changeo...nothing...
The rpm test still does not return anything.

I have Mandrake Linux BTW.
0 Kudos
Reply
Charles Gaffney_1
Occasional Advisor

тАО02-13-2003 07:14 AM

тАО02-13-2003 07:14 AM

Re: remsh HPUX -> Linux

Shannon,

Let me take that back. I read the man pages for rpm.

I ran rpm and the query returned nothing.
0 Kudos
Reply
Charles Gaffney_1
Occasional Advisor

тАО02-13-2003 07:22 AM

тАО02-13-2003 07:22 AM

Re: remsh HPUX -> Linux

Shannon,

I started looked for the /usr/sbin/in.rshd file...it does not exist on my server. Could that be half my problem?
0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО02-13-2003 07:29 AM

тАО02-13-2003 07:29 AM

Solution

Re: remsh HPUX -> Linux

I'm not sure how mandrake works, and if there distro has an RPM or not. I'll give you what I would do in Redhat, and hopefully it works for your box.

First, I'd load the OS CD's and mount them. Search each CD for rsh-server.

(normally my CD mounts to /mnt/cdrom).

% cd /mnt/cdrom
% find . -name "*" -print | grep -i rsh | grep -i server

This should find me the server package.

Next, I'd install it with RPM.

% rpm -Uvh /mnt/cdrom/

After the package is installed, I would have to modify the /etc/xinetd.d/rsh file, and the /etc/pam.d/rsh file. The installation of the server package "should" overwrite previous system files. Use my previous notes to modify those files.

No need to reboot, it's Linux. just restart the xinetd daemon. Redhat would be
% /etc/init.d/xinetd restart

I'd be curious to know if the RPM commands work the same on Mandrake as Redhat. Let me know how it turns out.

Regards,
Shannon
Microsoft. When do you want a virus today?
Reply
Charles Gaffney_1
Occasional Advisor

тАО02-13-2003 09:34 AM

тАО02-13-2003 09:34 AM

Re: remsh HPUX -> Linux

Shannon,

Whew...ok..rsh is now installed...but now I get permission denied errors running simple

remsh Gaff_server ll
0 Kudos
Reply
Frank Slootweg
Honored Contributor

тАО02-14-2003 02:19 AM

тАО02-14-2003 02:19 AM

Re: remsh HPUX -> Linux

> but now I get permission denied errors running simple
>
> remsh Gaff_server ll

Make sure that the *remote* (i.e. r[em]shd server) ~user/.rhosts file contains the *local* (i.e. r[em]sh client) hostname *and* that the file is owned by the user in whose home directory it is, i.e. ~franks/.rhost *must* be owned by franks. At least those are the rules for HP-UX/UNIX, so I assume they also hold for Linux.

Can the Linux box r[em]sh to itself? I.e.

linux> r[em]sh `hostname` date

(use date(1) instead of ll(1) in order to eliminate file/directory access problems)
0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО02-14-2003 07:44 AM

тАО02-14-2003 07:44 AM

Re: remsh HPUX -> Linux

Make the Mods I said, then try to rsh to the linux box.

Like previously mentioned, you will still have to have a $HOME/.rhosts for root (which in most Linux distro's is /root) and a $HOME/.rhosts for users or a /etc/hosts.equiv for non-root.

One other key is that by default, the installation of the service does not enable it. You will have to make sure that the "disabled: yes" line in /etc/xinetd.d/rexec/rsh is set to "no". Then restart xinet.

Pam is an Extra security, beyond that of the inetd/rshd which looks for the access file.

Now, what I found is that some Linux distro's use the same in.rshd as they do for in.rexec, some dont. Since I'm not sure what your doing, make the pam.conf files look the same for the remote connect methods on rsh, rexec, and rlogin (if they are all there anyway).

NOTE: The $HOME/.rhosts is different from standard. man .rhosts will give you the correct format/syntax.

If you enable the service, make the pam.conf modifications, and have $HOME/.rhosts(root) and /etc/hosts.equiv all should be good.

I have a feeling that the service is still disabled via the xinetd config file.

If it is enabled, can you rsh in as a user and not root? or noone can rsh in?

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.