rlogind: Permission denied when using rlogin and external network ip

[AvayaTier3]

Solaris 10 freeware with up to date Sun patches
Sun Blade 2000

networked with dlink wireless router on private network

192.168.0.200 is the private network address
192.168.0.104 is the private network address for a linux SE Enterprise 4.0

Any help would be appreciated. What am I missing?

I can use rlogin both directions between all servers on my private network. I can use telnet and ssh to all servers on my private network and also the external network ip addresses.

I also have an IP address for the outside world. for each server. If I use my external IP address with rlogin to the Sun it fails. If I use my external IP address with rlogin to the linux server, it successfully logs in.
--------------------------------------------------------
rlogin fails, telnet and ssh work
/etc/hosts entries with external address
66.109.xxx.xxx sun.xxxxxxx.com sun loghost

sun [597039]-> rlogin -l joe sun.xxxxxxx.com
rlogind: Permission denied.

sun [597040]-> telnet sun.xxxxxxx.com
Trying 192.168.0.200...
Connected to sun.bshtele.com.
Escape character is '^]'.
login: joe
Password:
Last login: Fri Jan 23 16:33:43 from sun.bshtele.c
Sun Microsystems Inc. SunOS 5.10 Generic January 2005


/etc/hosts entries with private ip network address
192.168.0.200 sun.xxxxxxx.com sun loghost

sun [597044]-> rlogin -l joe sun
Last login: Fri Jan 23 16:30:57 from cracker.xxxxxx.com
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
sun [597045]-> rlogin -l joe sun.xxxxxxx.com
Last login: Fri Jan 23 16:33:28 from sun.xxxxxxx.com
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
sun [597046]-> ssh bsh@66.109.xxx.xxx
Last login: Fri Jan 23 16:39:11 2009 from sun.bshtele.c
Sun Microsystems Inc. SunOS 5.10 Generic January 2005

In the linux server to make rlogin work:
cracker4 :root: [555]-> pwd
/etc/xinetd.d
cracker4 :root: [556]-> vi rlogin
service login
{
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rlogind
disable = yes
}
=======================
I see no equivilant files in Solaris 10 server.

 

[bfitzmai]

Avaya,
Linux Enterprise 4.0 does not install the telnet service by default. You have to load the telnet-server RPM separately. Also, if you installed the default firewall, you need to configure the firewall to enable the telnet service. Here is the web page I used to get telnet to work...

http://aplawrence.com/Linux/enable_telnet.html

 

[AvayaTier3]

telnet is not broken on the linux or Solaris 10 server

Thank you for your reply. But, rlogin and rsh is broken on Solaris 10 with an external ip address or name that resolves to the external ip address. rlogin and rsh both work if I use 192.168.0.200 (internal network ip) or (sun) is the hostname that's in /etc/hosts file with the same address. If I change /etc/hosts to a domain name and external address, rlogin and rsh will fail. (see error log entries below)

telnet works with internal network ip and external network ip on my Solaris 10 and Linux servers

ssh works with internal network ip and external network ip on my Solaris 10 and Linux servers

rlogin works with internal network ip and external network ip on my Linux server

rlogin and rsh works with internal network ip on my Solaris 10 server

rlogin and rsh fails with external network ip address on my Solaris 10 server

In my router, the firewall and ports turned on are the same for the working Linux and not working Solaris
rlogin port 513 is the one that is turned on. If I turn off this port in the router, rlogin and rsh fail to both servers

Here are error messages in /var/adm/messages

Jan 24 09:29:21 sun rsh[3082]: [ID 521673 daemon.notice] connection from sun.xxx
xxx.com (66.109.xxx.yyy) - bad port
Jan 24 09:29:34 sun rsh[3084]: [ID 521673 daemon.notice] connection from xxxxxx.
com (66.109.xxx.yyy) - bad port
Jan 24 09:39:16 sun rlogind[3232]: [ID 846982 daemon.notice] connection from xxx
xxx.com(66.109.xxx.yyy) - bad port

all of these services are running
online 19:05:40 svc:/network/login:rlogin
online 19:05:45 svc:/application/graphical-login/cde-login:default
online 9:16:09 svc:/network/login:klogin
online 9:16:13 svc:/network/login:eklogin
online 19:05:40 svc:/network/shell:default
online 9:09:48 svc:/network/shell:kshell
online 19:05:37 svc:/network/inetd:default

/etc/pam.conf
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1

 

[Annihilannic]

Are you using /etc/hosts.equiv or ~/.rhosts files to control the rlogin authorisations? If so, what hostnames have you authorised on the Sun system? Have you tried replacing them with the + wildcard to make sure host name resolution is not the issue?

Annihilannic.

 

[AvayaTier3]

66.109.xxx.xxx joe
sun.xxxxxxx.com joe
xxxxxxx.com joe
+
+ joe

these are in the .rhosts file and seem to work when I use
rsh and rlogin with my internal network address.
If I remove the entries and test internal, the rsh / rlogin
fails.

Adding and removing entries and test external, the rsh / rlogin always fails with rlogind: Permission denied.



A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

35 years Bell, AT&T, Lucent, Avaya
Tier 3 for 25 years and counting

http://bshtele.com

 

[Annihilannic]

Does seem to be network related then... I presume those "bad port" messages coincide with your attempts to rlogin to the Solaris 10 box's external IP address?

How is your network designed? If you have a single Dlink router, presumably your only connection to the internet, how are you making multiple external IP addresses visible to the outside world?

It's hard to imagine at which layer the problem exists though if telnet and ssh are working fine... immediately after a failed rlogin attempt, what does netstat -an | grep TIME_WAIT return?

Annihilannic.

 

[AvayaTier3]

I have a couple of registered hostnames that point at the same ip address. This is a static IP assinged to me by my ISP.

In my dlink router:

I can control what ports go to what computer on my internal network.

For example, I can point telnet port at an old spark 5.
I point ssh at my solaris 10 sunblade. I point http at a Linux SE 4 for my internet server.
With my router I can control what ports are on and when and what computer on my internal network these services point to.

If I point ssh, rsh and rlogin at my Linux SE 4, I can get to my Linux server with an external IP. I know in Linux that this is controled by /etc/xinetd.d/ files.

If I point ssh, rsh and rlogin at my Solaris 10. ssh works and rlogin and rsh do not work with a fully qualified name or external IP address, but an internal address does work.



A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

35 years Bell, AT&T, Lucent, Avaya
Tier 3 for 25 years and counting

http://bshtele.com

 

[Annihilannic]

I see, makes sense now.

Just an aside... rsh is not a very secure protocol, I presume you must have a good reason to be enabling it?

I just tried a similar thing with my NetGear router, enabling ports 513 and 514. I'm able to rlogin from my Linux box to my Solaris box, or the Solaris box to itself using the external IP address fine. However rsh hostname somecommand from Linux says "poll: protocol failure in circuit setup", and from Solaris it returns to the prompt immediately with $? = 1, and no error message. Have you tried both protocols?

I'm thinking these might be 'features' of the various routers combined with fussiness of the Solaris support for rsh/rlogin...

Annihilannic.

 

[AvayaTier3]

My rsh acts the same way. No error. Just command prompt is returned.
I have opened 513, 514,
I have tried 543, 544, 2105

Thanks for the warning. I am aware that this is not very secure and by default I have all these ports turned off in my router but http and ssh.

I turn them on to use them and turn them back off.

If this is working in Linux SE 4, it should also work in Solaris 10. I feel sure that I am just missing something.



A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

35 years Bell, AT&T, Lucent, Avaya
Tier 3 for 25 years and counting

http://bshtele.com

 

[elgrandeperro]

Unlike rlogin, rsh uses a high port random to high port random to process errors and signals. That is the Protocol Failure error, it cannot create the backchannel.

A firewall would have to be pretty stateful and understand rsh protocol to have this work correctly, not simply a port forwarder or blocker. In other words, we would always use ssh.

 

[Annihilannic]

Thanks for the clarification EGP, I was kind of suspecting something like that when I noticed the three connections in TIME_WAIT state after my tests, two of which were using ports in the 1023-1025 range... I was surprised that rlogin is quite different in that respect though, thinking that the protocols were similar since and rsh without a command results in an rlogin anyway!

Annihilannic.