Monday, July 27, 2009

Remote Login Tip

Subject : Remote Login Tip

Description :

. Tip Sheet for Remote Login Programs
Including telnet, rlogin, rsh, rcp, rdist, rcmd

. Section

1.0: About Remote Login Programs
2.0: Debugging Remote Login Problems
2.1: General Debugging Advice
2.2: Performance Analyis
3.0: Common How Tos
3.1: How to Increase ptys on a SunOS Machine
3.2: How to Increase ptys on a Solaris Machine
3.3: How to Allow/Disallow Remote root Logins under SunOS
3.4: How to Allow/Disallow Remote root Logins under Solaris
3.5: How to Add a Banner to a SunOS telnet Login
3.6: How to Add a Banner to a Solaris telnet Login
3.7: How to Grant rsh/rdist/rcp Permissions
3.8: How to rdist a Directory
4.0: Some Frequently Asked Questions
4.1: General Remote Login Problems
4.2: General R-command Problems
4.3: rcp and rdist Specific Problems
5.0: Patches
5.1: Remote Login Patches for SunOS
5.2: Remote Login Patches for Solaris

. Content

1.0: About Remote Login Programs

This Tip Sheet documents a wide variety of information concerning the
various remote login programs supported under SunOS and Solaris. This
includes telnet, rlogin, rsh and the related r-commands, rcmd, rcp and
rdist. This Tip Sheet is intended as a guide to the most common remote
login problems. Other references which contain some documentation on
the remote login programs are noted in Section 7.0.

2.0 Debugging Remote Login Problems

2.1: General Debugging Advice

The remote login programs very rarely experience problems other than
those outlined in this Tip Sheet. If you are experiencing additional
problems, the commands etherfind (SunOS) or snoop (Solaris) may be
used to discover exactly what is occuring on the network, and the
commands trace (SunOS) or truss (Solaris) may be used to discover
exactly what the commands are doing when they fail. However, the
information that these commands provide is very technical, and not
always easy to interpret.

2.2: Performance Analysis

Problems involving remote login performance are beyond the scope of
service that SunService can provide. If you having problems with
remote login performance, consult Section 8.0 or 9.0 for where you can
get assistance from within Sun.

3.0 Common How Tos

3.1: How to Increase ptys on a SunOS Machine

You may want to increase your number of ptys to allow more people to
make remote logins to your machine at one time. The below example
increases the number of ptys to 128.

First, create a kernel with 128 ptys, by editing your kernel
configuration file (ie, /sys/sun4c/conf/GENERIC). Change the
pseudo-device line, as follows:

pseudo-device pty128

Afterwards, compile and run this kernel.

Second, go to the /dev directory and create the new pty devices:

# cd /dev
# MAKEDEV pty0 pty1 pty2 pty3 pty4 pty5 pty6 pty7

Each pty# creates 16 master-slave pairs. Thus, making 8 sets, as shown
above, results in 8 * 16 = 128 ptys.

Third, add the new pty names to /etc/ttytab, following the examples
already present. The names are tty[pqrstuvw] [0123456789abcdef],
i.e., ttyp0 - ttypf, ttyq0 - ttyqf, ..., ttyw0 - ttywf.

3.2: How to Increase ptys on a Solaris Machine

You may want to increase your number of ptys to allow more people to
make remote logins to your machine at one time.

To increase the number of ptys (pseudo-terminal devices) under
Solaris 2.3, 2.4, and 2.5, two parameters MUST be entered into, or
modified in, the /etc/system file:

set pt_cnt=
set npty=

We also recommend at 2.4and 2.5, that you also add or modify the following
two parameters in the /etc/system file:

set sad_cnt=<2x number specified in pt_cnt>
set nautopush=

Then do a reconfiguration reboot for the changes to take effect (e.g. boot -r
at the boot "OK" prompt).

For example to set to allowing 128 ptys:
set pt_cnt=128
set npty=128
set sadcnt=256
set nautopush=128


pt_cnt sets the number of pty's for System V, while npty sets the number
of pty's for BSD. sadcnt and nautopush are STREAMS parameters and
are needed to support additional users and network resources (in particular
when using NTS terminal server rtelnet).

sadcnt is the number of streams addressable devices nautopush is the
number of streams autopush entries

In general:
nautopush should be the same as pt_cnt.
sadcnt should be 2x number of nautopush.

3.3: How to Allow/Disallow Remote root Logins under SunOS

root login permissions are controlled by the /etc/ttytab file under
SunOS. To change root login permissions, you must modify every single
'network' line in the /etc/ttytab files.

Root access over the network is granted, if all of the network ttys
are labeled secure:

ttyp0 none network off secure

Root access over the network is denied if all of the network ttys are
labelled unsecure:

ttyp0 none network off unsecure

After making changes to the ttytab, you must HUP process 1:

# kill -HUP 1

Alternatively, you can reboot the machine.

3.4: How to Allow/Disallow Remote root Logins under Solaris

In the file /etc/default/login, there is a CONSOLE line.

If this line is commented out, then root access over the network is
granted:

#CONSOLE=/dev/console

If there is no comment in front of the CONSOLE line, root can only
login from the console.

CONSOLE=/dev/console

Changes to this file will take effect at once.

3.5: How to Add a Banner to a SunOS telnet Login

The best way to have a banner displayed before the telnet login: is to
write a wrapper program:

main ()
{
system("/bin/cat /etc/telnetbanner")
execl("/usr/etc/in.telnetd.real","/usr/etc/in.telnetd.real",(char *)0)
}

This wrapper would be compiled and installed as /usr/etc/in.telnetd, a
message would be installed into /etc/telnetbanner, and the original
in.telnetd would then be moved to in.telnetd.real.

Although this setup should work, it is not officially supported by
SunService.

3.6: How to add a Banner to a Solaris telnet Login

Under Solaris 2.4 and higher, you can add a banner by utilizing the
/etc/issue file. Edit this file to contain your banner, and it will be
read and displayed before the login prompt.

%% cat /etc/issue
** USE THIS MACHINE AT YOUR OWN RISK **

%% telnet localhost
...
UNIX(r) System V Release 4.0 (psi)

** USE THIS MACHINE AT YOUR OWN RISK **

login:

This functionality is not available in versions of Solaris earlier
than 2.4 for those cases, you might want to try the workaround
described in Section 3.5, but it is not officially supported, and may
not work.

3.7: How to Grant rsh/rdist/rcp Permissions

If an individual user wants to be able to rsh into his account without
password, or rdist or rcp into his account, he must create a .rhosts
file. This file should simply contain the name of the remote machine
which should have the rsh/rdist/rcp permissions, and also the name of
the user's account on that machine. For example:

%% cat ~/.rhosts
psi appel

The above .rhosts file would allow me to rsh, rdist or rcp to my
account from the account 'appel' on the machine 'psi'.

Root can also grant global permissions with the hosts.equiv file. This
file simply contains a list of remote machines:

%% cat /etc/hosts.equiv
psi

If a machine is listed, all users on that machine will be able to rsh,
rcp or rdist to the local machine, as long as they have accounts on
both machines with the same login name.

The above would grant this permission to the remote machine 'psi'.

The hosts.equiv man page lists other options available in that
configuration file.

3.8: How to rdist a Directory

The most common usage of rdist is to copy an entire directory
structure from one machine to another. This can be done with the
following command:

%% rdist -c directory remotemachine:/directory

In order for the above to work, rdist must be granted remote
permissions, as described in Section 3.7 above. This command may also
be set up in a distfile script, as is described in the rdist man page.

4.0 Some Frequently Asked Questions

4.1: General Remote Login Problems

Q: Why do I get one of the following errors when I try and log in to
my machine? This only occurs when many people are already logged in:

"xxx: could not grant slave pty."
"xxx: open /dev/ptmx: No such device"

A: These errors occur because your machine has run out of ptys. The
default number of ptys is 48, which will usually allow somewhere
around 30-35 users to log in. You simply need to increase the number
of ptys, and then rebuild your kernel. Sections 3.1 and 3.2 outline
how to increase the number of ptys.

Q: Why do I get the following message when I try and log in to my
Solaris machine:

"xxx: open /dev/logindmux: No such file or directory"

A: This is due to a bug in a Solaris patch which implements in-kernel
telnet. It can be corrected by adding the following line to the file
/etc/name_to_major:

logindmux 114

Afterwards, reboot the machine with the reconfigure option:

# touch /reconfigure
# reboot

When the machine comes back up, you should be able to log in
correctly.

Q: Why do I get a core dump from telnet/rlogin when I try and connect
to certain remote machines from my SunOS machine?

A: This is a known bug that occurs when a remote machine has multiple
addresses. It is fixed in the libc patch for 4.1.3 and 4.1.3_u1. See
section 5.1.1 below.

Q1: Why do the r-commands hang forever?
Q2: why do telnet/rlogin give the following error:

"connect: Connection refused"

A: in.telnetd or in.rlogind are not being started up correctly on the
machine you are trying to connect to. Make sure that inetd is running
on that machine, and make sure that the following two lines are
uncommented in the /etc/inetd.conf:

telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind

(Locations will be slightly different on a SunOS machine).

If you have to make changes to inetd.conf, because the above lines are
missing, or commented out, you must restart inetd:

# kill -HUP inetd-pid

Q: Why do I get the following errors when I try and execute a remote
login:

"Network Unreachable"
"Host Unreachable"

A: These errors imply that routing is set up incorrectly to the
machine that you are trying to access. SunService has a seperate Tip
Sheet dedicated to Routing problems.

4.2: General R-command Problems

Q1: Why do I get a 'Password:' prompt when I rsh or rlogin?
Q2: Why do I get 'Permission Denied' when I rcp or rdist?

A1: You do not have a .rhosts file on the remote machine, correctly
listing your local machine. Section 3.7 explains how to set up a
.rhosts file.

A2: You are given explicit permissions to log in to the remote
machine, but the .rhosts file does not list your correct machine name.
For example, the .rhosts might mention your local machine's long host
name (ie, psi.corp.sun.com), while the remote machine actually
indentifies it by the short name (ie, psi) alternatively, your
.rhosts might read machine-le0, while the login request actually comes
from machine-le1. You can test this by logging in to the remote
machine (supplying your password), and then examining the .rhosts
file:

%% cat .rhosts
psi.corp.sun.com appel

Afterwards, run "who", look for your own login, and see what name your
local machine is identified as:

%% who
appel pts/10 Oct 6 09:59 (psi)

In the above case, my .rhosts file reads 'psi.corp.sun.com' while the
remote machine identifies me as 'psi'. These names must match for rsh,
rcp or rdist to work. After I change my .rhosts file to reflect the
who, the logins will work correctly:

%% cat .rhosts
psi appel

(It should be noted that the remote machine determines the name for
your local machine by looking in the first entry of files, NIS, NIS+
or DNS, depending on how you have your name services set up. If you do
not like the way your remote machine is identifying your local
machine, you will need to determine which of these name services is
providing the incorrect information, and correct it.)

Q: Why do some remote sites refuse to let me connect to them via the
r-commands, complaining that they can't lookup my name?

A: This is probably because the machine you are connecting from does
not have a DNS PTR record. You should consult your DNS maps, and
verify that both A and PTR records are being propagated for the
machine in question. SunService has a document on DNS which explains
this all more in depth.

Q: Why do I get the following error when I connect to a machine via
the r-commands:

"protocol error. Connection Closed."

A: This typically occurs because the permissions on in.rlogind are
incorrectly set on the machine you are trying to connect to.

On a SunOS machine, make sure in.rlogind has the following perms:

-rwxr-xr-x 1 root staff 16384 Jan 20 1994 /usr/etc/in.rlogind

On a Solaris machine, make sure in.rlogind has the following perms:

-r-xr-xr-x 1 bin bin 10848 Jul 15 1994 /usr/sbin/in.rlogind

4.3: rcp and rdist Specific Problems

Q1: Why does rcp/rdist fail, even though permissions are set up right?
Q2: Why do I get one of the following errors when I rcp/rdist:

"stty: TCGETS: operation not supported on socket"
"stty: : Invalid argument"

A: rcp and rdist will fail if certain types of commands exist in the
.cshrc of the account on the remote machine. You can temporarily fix
this by simply moving the .cshrc on the remote machine:

%% mv ~/.cshrc ~/.cshrc.DONOTUSE

Alternatively, you can correct the .cshrc so that rcp and rdist will
work right. You must surround all stty and echo statements in the
.cshrc with an if ($?prompt) endif combination. For example, if the
following line is in your .cshrc:

stty dec

Change it to the following:

if ($?prompt) then
stty dec
endif

If this is done to all stty and echo commands, you should be able to
rcp and rdist to that account correctly.

5.0: Patches

The following is the list of all of the remote login related patches
for 4.1.3, 4.1.3_u1, 4.1.4, 5.3 and 5.4. If you are having remote
login problems, installing the patches is a good place to start,
especially if you recognize the general symptoms noted below.

In order for a machine to be stable, all of the recommended patches
should be installed as well. The list of recommended patches for your
operating system is available from sunsolve1.sun.com.

5.1: Remote Login Patches for SunOS

100383-06 SunOS 4.0.3 4.1 4.1.1 4.1.2 4.1.3: rdist security and hard link

Fixes a security bug which could cause rdist to create setuid root
programs. Also fixes an rdist problem related to hard links.

100468-03 SunOS 4.1.1 4.1.2 4.1.3: rcp/rsh should use setsockopt to detec

Corrects a bug in rcp's behavior when a remote machine crashed, and
also a bug in rsh regarding processes with lots of open file
descriptors.

101673-01 SunOS 4.1.3 Point Patch: rsh hangs, talking to a heavily loaded

This point patch adds a -T (timeout) flag to rsh that can be used
when logging in to a heavily loaded machine.

101488-01 SunOS 4.1.1 4.1.2 4.1.3: TTY settings change when rlogin into a
101561-05 SunOS 4.1.3_U1: TTY settings change when rlogin into a 4.x syst

Corrects an error regarding flow control that showed up when logging
in to SunOS machine from a Solaris machine.

5.1.1: Related Patches for SunOS

100891-13 SunOS 4.1.3: international libc jumbo patch
100890-12 SunOS 4.1.3: domestic libc jumbo patch
101558-07 SunOS 4.1.3_U1: international libc jumbo patch
101759-03 SunOS 4.1.3_U1: domestic libc jumbo patch

Correct a problem where telnet, rlogin and other internet connection
programs coredump if they try and connect to a machine with multiple
A records. Please be sure to install the domestic version, and not
the international version, if you are in the US, because the
international version does not include encryption, which is
necessary for login to work correctly.

5.2: Remote Login Patches for Solaris

101494-01 SunOS 5.3: rdist will not remove remote directories

Fixes a bug where rdist -R would not remove remote directories that
no longer existed on the master.

101681-01 SunOS 5.3: telnet patch

Corrects bugs regarding pipes, and Sun/Dec interaction.

101318-75 SunOS 5.3: Jumbo patch for kernel (includes libc, lockd)
101945-36 SunOS 5.4: jumbo patch for kernel
101946-29 SunOS 5.4_x86: telnetd performance improvement

Improves telnet and rlogin performance by incorporating them into
the kernel.



Reference: http://stone.backrush.com/sunfaq/lmh005.html

No comments:

Post a Comment