Debugging PAM or unlocking rsh / rlogin

Ingo Krabbe ingo.krabbe at protel.net
Thu Jan 26 11:40:19 UTC 2017 

Hey PAM Wizards,

I try to unlock rsh / rlogin access to some hidden AWS EC2 Machines installed with Amazon Linux 2016.09.

PLEASE DON'T ASK WHY, OR SUGGEST TO USE SSH! I know what I'm doing here and I know why I want to do that! I also know about the securety implications by such steps.

Here is my story:

After I set-up xinetd and rsh services over a private IP address, I can talk to my machine with

    # rsh -l USER IP

The answer I get is always

    rlogin: connection closed

On the target machine I have

    Jan 26 11:18:41 XXX rlogind[30908]: pam_rhosts(rlogin:auth): allowed access to someone at ip-IP.eu-west-1.compute.internal as USER

So the rlogin process authorizes me to talk to the machine on behalve of the local account USER.

Using the strace debug method I can see that rlogind spawns login with

    execve("/bin/login", ["login", "-p", "-h", "ip-IP.eu-west-1..."..., "-f", "USER"], [/* 3 vars */]) = 0

These "ip-IP.eu-west-1..." are default reverse DNS resolutions of my private IP address.

Now the "login" process starts another DNS Name resolution, and finally (immediately) finishes with

    setpgid(0, 0)                     = -1 EPERM (Operation not permitted)
    ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
    fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 8), ...}) = 0
    readlink("/proc/self/fd/0", "/dev/pts/8", 4095) = 10
    stat("/dev/pts/8", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 8), ...}) = 0
    lstat("/dev/pts/8", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 8), ...}) = 0
    access("/dev/pts/8", R_OK|W_OK)   = 0
    ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
    fchown(0, 0, 0)                   = 0
    fchmod(0, 0620)                   = 0
    ioctl(0, SNDCTL_TMR_START or SNDRV_TIMER_IOCTL_TREAD or TCSETS, {B38400 opost isig icanon echo ...}) = 0
    ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
    close(0)                          = 0
    close(1)                          = 0                  # this might be the origin of the SIGHUP.
    --- SIGHUP {si_signo=SIGHUP, si_code=SI_KERNEL, si_value={int=118, ptr=0x76}} ---
    --- SIGCONT {si_signo=SIGCONT, si_code=SI_KERNEL, si_value={int=118, ptr=0x76}} ---
    --- SIGHUP {si_signo=SIGHUP, si_code=SI_KERNEL, si_value={int=118, ptr=0x76}} ---
    +++ killed by SIGHUP +++

But I can't figure out why login dies like that.

Best regards,

Ingo Krabbe

More information about the Pam-list mailing list