# How do I enable root-logins using rsh?

## chengfu

Hello,

I can't get rsh to allow root-logins. I've setup xinetd and netkit-rsh, added "rsh" and "rlogin" to /etc/securetty and inserted the appropriate ip-addresses into /etc/.rhosts. But whenever I connect to the server the operation results in "FAIL: shell address"  in /var/log/daemon.log

Did I miss anything?

Thanks in advance,

Bye, CF

----------

## Carlos

This won't help your problem, but you do know that rlogin is insecure and that you shouldn't use it across the internet, right?  Indeed, with modern computers the overhead of encryption is insignificant, and the additional benefit of being able to log in without a password (using SSH keys) leads people to use SSH even when security isn't a concern.

My apologies if you already know all that.

----------

## chengfu

Hello,

Yes, I know that rsh isn't secure. But we still use it to check the load of our server in a LVS-environment. All servers operate in a private network and are secured from the outer world.

ButI just found the solution in our internal knowledge base (shame on me: I made the entry myself some weeks ago):

You need to specify the parameters "-lhL" for in.rshd.

Bye, CF

----------

## nemoflo

Hi,

   Do you use PAM ?

   if yes, on the first line of the file rlogin in /etc/pam.d/, add :

auth   sufficient    pam_wheel.so  use_uid  trust

   Add the same in the rsh file.

   Give me a feed back and i will try to help you more.

Bye

----------

## nemoflo

Hello,

   It's me again.

   Don't forget to configure xinetd.conf by replacing your "only_from" options with the right address you want.

sample : blabla

             only_from  myhost1 myhost2

             blabla

Bye

----------

## wrex

 *nemoflo wrote:*   

> Hi,
> 
>    Do you use PAM ?
> 
>    if yes, on the first line of the file rlogin in /etc/pam.d/, add :
> ...

 

This will actually bypass any configuration in ~root/.rhosts or /etc/hosts.equiv on the destination host.

The problem appears to be a bug somewhere in the securetty checking (possibly in how the TTY is passed).

I've got a cluster of machines I'm using for performance testing.  I'd rather use rsh than ssh mainly because a bunch of legacy scripts expect it, but also because it's slighly (probably VERY slightly) less overhead than ssh.  I need to allow both root and non-root users to rsh without password between any nodes in the cluster.

Here's how I got rsh working on my cluster:

Emerge netkit-rsh and xinetd on all nodes in the cluster

Add the cluster network to the "only_from" line in /etc/xinetd.conf (e.g. "only_from = localhost 192.168.0.0/24")

Change /etc/xinetd.d/rsh to read "disable = no"

Change /etc/xinetd.d/rlogin to read "disable = no"

Start xinetd and add it to the default runlevel (/etc/init.d/xinetd start; rc-update add xinetd default)

Add the name of all hosts to /etc/hosts.equiv on all nodes in the cluster

Add "server_args = -h" to /etc/xinetd.d/rsh on all nodes in the cluster and "killall -s HUP xinetd"

Add the name of all cluster hosts to ~root/.rhosts on all nodes in the cluster

Remove the securetty line from /etc/pam.d/rsh on all nodes in the cluster

Remove the securetty line from /etc/pam.d/rlogin on all nodes in the cluster 

The last four steps are only required if you need to allow passwordless rsh for root.  The last two steps shouldn't be required at all (as long as you add "rsh" and "rlogin" to /etc/securetty) but they were for me.

Regards,

-- 

Rex

----------

