HPE Community
Operating System - HP-UX
1832278 Members
1830 Online
110041 Solutions
New Discussion

Where do I look for differences in security setup?

 
Don Spare
Regular Advisor

‎03-24-2005 07:37 AM

‎03-24-2005 07:37 AM

Where do I look for differences in security setup?

I have 2 HP-UX 11.0 servers. I thought they were set up identically but I have just found out that I can remote shell into one as root without specifying a password, but the other prompts for password. Where do I look for these kinds of differences and how do I make it so the password is NOT required for remote shell?

Also the environment for root seems different than for 'oracle' in that oracle seems to have vi set to context/language sensitive (auto indents and such) but in root that is not the case. Where is that defined?
0 Kudos
Reply
11 REPLIES 11
harry d brown jr
Honored Contributor

‎03-24-2005 07:40 AM

‎03-24-2005 07:40 AM

Re: Where do I look for differences in security setup?

look for a DOT rhosts file (.rhosts) and look at /etc/hosts.equiv.

live free or die
harry d brown jr
Live Free or Die
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎03-24-2005 07:41 AM

‎03-24-2005 07:41 AM

Re: Where do I look for differences in security setup?

take a look at this product: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

live free or die
harry d brown jr
Live Free or Die
0 Kudos
Reply
Don Spare
Regular Advisor

‎03-24-2005 07:59 AM

‎03-24-2005 07:59 AM

Re: Where do I look for differences in security setup?

In the / (root home directory) on both systems the .rhosts files are identical. Neither server has /etc/hosts.equiv files.
0 Kudos
Reply
Biswajit Tripathy
Honored Contributor

‎03-24-2005 08:21 AM

‎03-24-2005 08:21 AM

Re: Where do I look for differences in security setup?

Don Spare wrote:
> I have 2 HP-UX 11.0 servers. I thought they were
> set up identically but I have just found out that I
> can remote shell into one as root without specifying
> a password, but the other prompts for password.

As already explained, look at both $HOME/.rhosts
and /etc/hosts.equiv files. Are you trying to rlogin to
both servers from the same machine and from the
same login ID?

You could post both the above files here (don't post
actual IP addresses, if any, in a public forum, just
replace them by IP_ADDR1 or some thing similar).

- Biswajit
:-)
0 Kudos
Reply
Don Spare
Regular Advisor

‎03-25-2005 08:19 AM

‎03-25-2005 08:19 AM

Re: Where do I look for differences in security setup?

I am attempting to setup a Nagios monitoring script that will run on a Linux box and 'remote shell' (/usr/bin/rsh on the Linux box) to my HP-UX servers and execute the 'uptime' command. The output of 'uptime' is returned to Linux where it is parsed and an appropriate status message and code is generated and sent to the Nagios application which then updates its intranet web site with that status, and possibly sends a notification to appropriate parties. Communication to my development HP-UX server (dev) is perfect using this process. But attempts to connect to my production server (prod) all end up failing. It seems the rsh to prod always asks for a password when attempted from the command line. Since the script doesn't understand this (and doesn't know the password) it simply fails. No password is requested by dev. Both prod and dev are supposed to be setup the same with the only difference I know of is that prod has JavaVM installed.

So ..... where do I look for the configuration parameters that say to ask for a password?
0 Kudos
Reply
Biswajit Tripathy
Honored Contributor

‎03-25-2005 08:58 AM

‎03-25-2005 08:58 AM

Re: Where do I look for differences in security setup?

As already suggested, could you post the contents
of ~root/.rhosts and /etc/hosts.equiv files?

I'm assuming that you are logged in as root and
running remote command execution as root in all the
machines.

- Biswajit
:-)
0 Kudos
Reply
Kent Ostby
Honored Contributor

‎03-25-2005 12:10 PM

‎03-25-2005 12:10 PM

Re: Where do I look for differences in security setup?

Don -- are the two machines in question on the same subnet ?

Does one have a firewall that the other doesnt have to try to get through ?
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
Kent Ostby
Honored Contributor

‎03-25-2005 12:11 PM

‎03-25-2005 12:11 PM

Re: Where do I look for differences in security setup?

Also, check to see if the source machine can be seen from the two target machines .. perhaps something in /etc/hosts or DNS is preventing the one target machine from recognizing the source machine.

"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-25-2005 02:00 PM

‎03-25-2005 02:00 PM

Re: Where do I look for differences in security setup?

If .rhosts exists *and* the permission for .rhosts is 600, then the remshd daemon is asking DNS to validate the client. Your DNS seerver must provide forward and reverse lookup for the incoming client or it will ask for a password. Lack of symmetrical records is a common Windows DNS server misconfig. If the DNS gods aren't responsive, change your HP-UX server to use /etc/hosts first, then DNS (/etc/nsswitch.conf) and put the client(s) into your /etc/hosts file. That will assure forward/reverse validation. Use nslookup to verify.


Bill Hassell, sysadmin
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎03-25-2005 11:12 PM

‎03-25-2005 11:12 PM

Re: Where do I look for differences in security setup?

rsh to determine if and report on the uptime status of a server?

one word: BAD

use something like snmp to check uptime!

live free or die
harry d brown jr
Live Free or Die
0 Kudos
Reply
Don Spare
Regular Advisor

‎03-28-2005 01:39 AM

‎03-28-2005 01:39 AM

Re: Where do I look for differences in security setup?

Well, I found the problem. It seems my /etc/hosts file did not contain the location of the Nagios server. It appears that the remote server must know about the local server when attempting these types of connections.



This problem has been resolved.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.