Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
restrict rexec by user 1
- Thread starter ksas025
- Start date
spamly is right and here is some good links for ssh:
And this is another link for using the dsh:
Regards,
Khalid
And this is another link for using the dsh:
Regards,
Khalid
- Thread starter
- #4
Thanks for the responses but my environment requires the use of rexec for the time being. The vendor who develops our system has not incorporated SSH into its code. Therefore discovering a way to restrict rexec by user would be the next best step.
I am aware of security best practice but they are simply not applicable here.
Thanks for any additional responses.
I am aware of security best practice but they are simply not applicable here.
Thanks for any additional responses.
- Thread starter
- #5
As you have probably guessed, I am attempting to tighten rexec access from remote hosts to my User servers. One of my policies is to deny remote logons of the root user via /etc/security/user via the rlogin = false directive. This works great for protocols suchas telnet and rlogin/xlogin but does not work for rexec or rsh. Why is that? Is there anything I can do to restrict root via rexec and still allow my end users to use it?
Thanks again.
RodKnowlton
MIS
- Apr 26, 2000
- 1,005
[tt]man rhosts[/tt]
- Rod
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
A Simple Code for Posting on the Web
- Thread starter
- #7
I am not sure if rhosts is working for me. Even after I enter -<hostname> in the ~/.rhosts it still allows me to use Exceed to rexec from that windows client. It does restrict rsh however. Is this the expected behavior?
I just cant seem to restrict rexec from my Windows exceed clients.
I just cant seem to restrict rexec from my Windows exceed clients.
RodKnowlton
MIS
- Apr 26, 2000
- 1,005
Sorry, I thought rexec was an "r-command" like rsh and rcp, but it's a different beast, and doesn't care about rhosts or hosts.equiv.
Hopefully someone else will have an idea how to secure it, because the only method I've found is to disable it altogether.
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
A Simple Code for Posting on the Web
Hopefully someone else will have an idea how to secure it, because the only method I've found is to disable it altogether.
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
A Simple Code for Posting on the Web
You could (But I wouldn't) put a wrapper round the command, along the lines
if ( uname = "username" -o uname = "another_user" )
then
run command
else
echo "not allowed"
fi
rename / alias rexec call from script
Mike
"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
if ( uname = "username" -o uname = "another_user" )
then
run command
else
echo "not allowed"
fi
rename / alias rexec call from script
Mike
"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
- Thread starter
- #10
Do you mean a wrapper around rexecd? That would mean (i think) that I would alter inetd.conf to look at another file then pass control to rexecd if authorized? Is that correct?
How would you pass control to rexecd? Is rexecd open source? Maybe I can look at the code to see what it expects.
How would you pass control to rexecd? Is rexecd open source? Maybe I can look at the code to see what it expects.
- Thread starter
- #11
For whoever is interested I ended up doing what mrn suggested. I wrote a Perl script that accepts the rexec compliant string passed to socket TCP/512. The Perl script then scrutinizes the string received by the client for user and execute information. If the calling user is not in a file held in the /etc directory the perl script kills the connection. If the user exists then it passes the unmodified login string to the real rexecd which I configured to listen on a different port. Since the remote rexec request has DISPLAY information included, the real rexecd does not care where the request comes from but simply check the password and executes the command if allowed.
After about 2 weeks in a development environment it seems to work well. I believe this to be an acceptable solution for environments that *must* have rexec service available.
Thanks all for their help.
After about 2 weeks in a development environment it seems to work well. I believe this to be an acceptable solution for environments that *must* have rexec service available.
Thanks all for their help.
RodKnowlton
MIS
- Apr 26, 2000
- 1,005
You may have already done this, but you should tighten down your tcpwrapper on rexecd to only accept connections from localhost. Otherwise all an unauthorized user needs to do to bypass your program is find out what the new rexecd port is.
- Rod
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
A Simple Code for Posting on the Web
- Rod
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
A Simple Code for Posting on the Web
-
1
- #13
To disallow inbound rexec access to a user:
# chuser ttys=ALL,!REXEC username
This is assuming that the ttys parameter for the user is the default "ALL". Check this with "lsuser -a ttys username".
This mechanism can also be used to block inbound rsh access:
# chuser ttys=ALL,!RSH username
or both:
# chuser ttys=ALL,!REXEC,!RSH username
# chuser ttys=ALL,!REXEC username
This is assuming that the ttys parameter for the user is the default "ALL". Check this with "lsuser -a ttys username".
This mechanism can also be used to block inbound rsh access:
# chuser ttys=ALL,!RSH username
or both:
# chuser ttys=ALL,!REXEC,!RSH username
Not tidy but what about a wrapper?
Mike
"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
Mike
"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
Don't know why I replied to this again. One of those days......
Mike
"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
Mike
"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
- Thread starter
- #16
Abubasim, I thank you. Your solution is the simplest and best for what I want to do. Using the /etc/security/user file I can deny rexec by user by simply listing the !REXEC in the tty= directive of the user's stanza. Now that is tidy!
Thanks to all for your replies!
Alex
Thanks to all for your replies!
Alex
- Status
Similar threads