Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

restrict rexec by user 1

Status
Not open for further replies.

ksas025

Technical User
Jun 3, 2004
92
US
Is there any way to restrict rexec access by user instead of host? I have used TCP wrappers to tighten down network access to the rexec daemon but what I really want is to restrict rexec by user.

 
Ever thought about eliminating rexec and using ssh access with rsa key authentication? You would then be able to lock the connections down to a user and/or a host.

-Tim
 
Thanks for the responses but my environment requires the use of rexec for the time being. The vendor who develops our system has not incorporated SSH into its code. Therefore discovering a way to restrict rexec by user would be the next best step.

I am aware of security best practice but they are simply not applicable here.

Thanks for any additional responses. :)

 

As you have probably guessed, I am attempting to tighten rexec access from remote hosts to my User servers. One of my policies is to deny remote logons of the root user via /etc/security/user via the rlogin = false directive. This works great for protocols suchas telnet and rlogin/xlogin but does not work for rexec or rsh. Why is that? Is there anything I can do to restrict root via rexec and still allow my end users to use it?

Thanks again.
 
I am not sure if rhosts is working for me. Even after I enter -<hostname> in the ~/.rhosts it still allows me to use Exceed to rexec from that windows client. It does restrict rsh however. Is this the expected behavior?

I just cant seem to restrict rexec from my Windows exceed clients.
 
Sorry, I thought rexec was an "r-command" like rsh and rcp, but it's a different beast, and doesn't care about rhosts or hosts.equiv.

Hopefully someone else will have an idea how to secure it, because the only method I've found is to disable it altogether.

IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

A Simple Code for Posting on the Web
 
You could (But I wouldn't) put a wrapper round the command, along the lines

if ( uname = "username" -o uname = "another_user" )
then
run command
else
echo "not allowed"
fi

rename / alias rexec call from script

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
 
Do you mean a wrapper around rexecd? That would mean (i think) that I would alter inetd.conf to look at another file then pass control to rexecd if authorized? Is that correct?

How would you pass control to rexecd? Is rexecd open source? Maybe I can look at the code to see what it expects.
 
For whoever is interested I ended up doing what mrn suggested. I wrote a Perl script that accepts the rexec compliant string passed to socket TCP/512. The Perl script then scrutinizes the string received by the client for user and execute information. If the calling user is not in a file held in the /etc directory the perl script kills the connection. If the user exists then it passes the unmodified login string to the real rexecd which I configured to listen on a different port. Since the remote rexec request has DISPLAY information included, the real rexecd does not care where the request comes from but simply check the password and executes the command if allowed.

After about 2 weeks in a development environment it seems to work well. I believe this to be an acceptable solution for environments that *must* have rexec service available.

Thanks all for their help.
 
You may have already done this, but you should tighten down your tcpwrapper on rexecd to only accept connections from localhost. Otherwise all an unauthorized user needs to do to bypass your program is find out what the new rexecd port is.

- Rod


IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

A Simple Code for Posting on the Web
 
To disallow inbound rexec access to a user:

# chuser ttys=ALL,!REXEC username

This is assuming that the ttys parameter for the user is the default "ALL". Check this with "lsuser -a ttys username".

This mechanism can also be used to block inbound rsh access:

# chuser ttys=ALL,!RSH username

or both:

# chuser ttys=ALL,!REXEC,!RSH username
 
Don't know why I replied to this again. One of those days......

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
 
Abubasim, I thank you. Your solution is the simplest and best for what I want to do. Using the /etc/security/user file I can deny rexec by user by simply listing the !REXEC in the tty= directive of the user's stanza. Now that is tidy!

Thanks to all for your replies!

Alex
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top