Debugging PAM or unlocking rsh / rlogin
Ingo Krabbe
ingo.krabbe at protel.net
Thu Jan 26 11:40:19 UTC 2017
Hey PAM Wizards,
I try to unlock rsh / rlogin access to some hidden AWS EC2 Machines installed with Amazon Linux 2016.09.
PLEASE DON'T ASK WHY, OR SUGGEST TO USE SSH! I know what I'm doing here and I know why I want to do that! I also know about the securety implications by such steps.
Here is my story:
After I set-up xinetd and rsh services over a private IP address, I can talk to my machine with
# rsh -l USER IP
The answer I get is always
rlogin: connection closed
On the target machine I have
Jan 26 11:18:41 XXX rlogind[30908]: pam_rhosts(rlogin:auth): allowed access to someone at ip-IP.eu-west-1.compute.internal as USER
So the rlogin process authorizes me to talk to the machine on behalve of the local account USER.
Using the strace debug method I can see that rlogind spawns login with
execve("/bin/login", ["login", "-p", "-h", "ip-IP.eu-west-1..."..., "-f", "USER"], [/* 3 vars */]) = 0
These "ip-IP.eu-west-1..." are default reverse DNS resolutions of my private IP address.
Now the "login" process starts another DNS Name resolution, and finally (immediately) finishes with
setpgid(0, 0) = -1 EPERM (Operation not permitted)
ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 8), ...}) = 0
readlink("/proc/self/fd/0", "/dev/pts/8", 4095) = 10
stat("/dev/pts/8", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 8), ...}) = 0
lstat("/dev/pts/8", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 8), ...}) = 0
access("/dev/pts/8", R_OK|W_OK) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
fchown(0, 0, 0) = 0
fchmod(0, 0620) = 0
ioctl(0, SNDCTL_TMR_START or SNDRV_TIMER_IOCTL_TREAD or TCSETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
close(0) = 0
close(1) = 0 # this might be the origin of the SIGHUP.
--- SIGHUP {si_signo=SIGHUP, si_code=SI_KERNEL, si_value={int=118, ptr=0x76}} ---
--- SIGCONT {si_signo=SIGCONT, si_code=SI_KERNEL, si_value={int=118, ptr=0x76}} ---
--- SIGHUP {si_signo=SIGHUP, si_code=SI_KERNEL, si_value={int=118, ptr=0x76}} ---
+++ killed by SIGHUP +++
But I can't figure out why login dies like that.
Best regards,
Ingo Krabbe
More information about the Pam-list
mailing list