X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-0.5 required=5.0	tests=AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,FSL_FREEMAIL_1,FSL_FREEMAIL_2,KHOP_THREADED,RCVD_IN_DNSWL_NONE,RCVD_IN_HOSTKARMA_YE,TW_YG
X-Spam-Check-By: sourceware.org
Message-ID: <1339014482.17656.YahooMailClassic@web171303.mail.ir2.yahoo.com>
Date: Wed, 6 Jun 2012 21:28:02 +0100 (BST)
From: Marilo <narium85-mlscar AT yahoo DOT co DOT uk>
Reply-To: narium85-mlscar AT yahoo DOT co DOT uk
Subject: Re: why is rsh not running normally but is running rlogin?
To: cygwin AT cygwin DOT com
In-Reply-To: <1338283764.67862.YahooMailClassic@web28614.mail.ukl.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id q56KSVWa003375



--- On Tue, 29/5/12, Marilo wrote:

> From: Marilo 
> Subject: why is rsh not running normally but is running rlogin?
> To: cygwin
> Date: Tuesday, 29 May, 2012, 10:29
> As mentioned, I am just trying
> rexec/rsh/rlogin, just as a test, on my few computers. I
> know ssh is more secure..
> 
> I have uncommented these lines in inetd.conf
> shell   stream  tcp 
>    nowait  root   
> /usr/sbin/tcpd rshd -L
> login   stream  tcp 
>    nowait  root   
> /usr/sbin/tcpd rlogind
> exec    stream  tcp 
>    nowait  root   
> /usr/sbin/tcpd rexecd
> 
> 
> When I try to run rsh locally, this happens
> $ rsh 127.0.0.1 ls
> Permission denied.
>

rsh uses .rhosts

and I think permission denied comes when rsh doesn't see localhost/127.0.0.1 in .rhosts

btw, rexec uses .netrc


man rexec
"4. The $HOME/.netrc file will be searched.   See  ftp(1)  for  a
description of this file's format."

and if useful man rshd, man rexecd


> It doesn't even ask for a password.
> 
> When I do rsh without a command, it launches rlogin. I know
> because it asks for a password I enter it push ENTER . Then
> it logs me in, and I run the ps command, and I see rlogin
> not rsh.  And if I give a wrong username then I start
> doing ctrl-c ctrl-z..  it says rlogin.
> $ rsh -l sdf 127.0.0.1
> Password:
> Login incorrect
> login: Password:
> Login incorrect
> login: rlogin: connection closed.
> 

looks like there's something about that in - man rshd

8.   Rshd then validates the user using ruserok(3), which uses the file
     /etc/hosts.equiv and the .rhosts file found in the user's home
     directory. The -l option prevents ruserok(3) from doing any valida-
     tion based on the user's ``.rhosts'' file (unless the user is the
     superuser and the -h option is used.) If the -h option is not used,
     superuser accounts may not be accessed via this service at all.


Looks like passwordless login doesn't work when you do -l

So, you have to be logged in with a user of the same username as the machine you're logging into. (doesn't have to be the same password though). Then you don't need -l and so it will read .rhosts


> 
> Is that normal, and which implementations of rsh launch
> rlogin? BSD? GNU? 
>

maybe all
http://en.wikipedia.org/wiki/Remote_Shell
After the command has finished rsh terminates. If no command is specified then rsh will log in on the remote system using rlogin.


 
> And why won't it run when I add a command?
> rexec runs locally with a command, but rsh doesn't.


Unix power tools says

"If the host is properly set up on the remote machine, then rsh will execute properly, and rlogin will no longer ask for a password when you try to connect to the remote machine.  If not set up properly, then rlogin will prompt for a password, and rsh will fail with the message Permission Denied."


I haven't tested this much but it seems a bit like 

rsh without -l,  if it gets far enough, either goes in automatically, or says permission denied..  it won't prompt for a password.

rexec will go in automatically, or prompt for a password.


That aside, there are a number of things to check.. to try to get the logging in working.   I did see errors like  

(I may make a mistake in which solution corresponds to which error)


rcmd: 10.1.1.3:514: No error (rcmd 'no error' error  I think is fixed by adding to /etc/hosts )

and

rcmd: 10.1.1.3:514: Connection reset by peer  (
I think was fixed by adding to /etc/hosts.allow
ALL : tepa : allow  <-- where tepa is an example name of the host)   
or  the line ALL : 10.1.1. : allow )

and

blob.lan: Connection refused (I think that was was 'cos inetd wasn't started, a bit pathetic but anyway)

and

select: protocol failure in circuit setup
(I think this was when the firewall was preventing the rsh server from making a reverse connection to the client. )


$ cygcheck -l rsh-server
........
/usr/share/doc/Cygwin/rsh-server.README

$cat /usr/share/doc/Cygwin/rsh-server.README
...
Finally, on the *client* machine, you may need to allow a 'program
exception' in your firewall for the rsh client. The rsh protocol allows the
client to specify an additional port (other than 514) that the server will
contact, to send stderr information.  This port is random, but you need to
allow incoming connections on your *client* machine at that port. Windows
has no 'stateful' filters for the rsh protocol, so you need to allow the rsh program to 'answer' on any port: thus, a 'program exception'. e.g.
.....

so,   /etc/hosts, /etc/hosts.allow, /etc/hosts.deny,  ~/.rhosts  and the firewall opening the incoming ports and having the program exception ready for the reverse connection.
one could do one line in /etc/hosts.allow and an empty /etc/hosts.deny
and of course for rexec, there's .netrc

Anyhow, was just for familiarity. I don't plan to use rsh as there's ssh which besides being more secure, can do passwordless logins better too.  rsh and rlogin can only go in passwordless if the username at the 'from' computer is the same as the username as the 'to' computer.  ssh along with its key-based authentication also happens to allow for more flexible passwordless authentication too and doesn't have that limitation.



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple