I hadn't checked it, but I just did and we only restrict access for root via access.conf... good idea, though!
Kevin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Krizak Sent: Thursday, August 16, 2007 11:00 AM To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list Subject: Re: [rhelv5-list] .rhosts / hosts.equiv + netgroup subgroups broken? Have you checked /etc/security/access.conf? That's the one that always screws us up... Paul Krizak 5900 E. Ben White Blvd. MS 625 Advanced Micro Devices Austin, TX 78741 Linux/Unix Systems Engineering Phone: (512) 602-8775 Silicon Design Division Cell: (512) 791-0686 Collins, Kevin [MindWorks] wrote: > I'm pretty sure it is PAM, since that is what authorizes the login... > And you are testing this on RHEL5? It works fine on RHEL3 for me. Also, > your ypmatches below don't list any hosts (although I understand what > you are showing). > > I tried adding the "debug" option to pam_rhosts in /etc/pam.d/rsh and > /etc/pam.d/rlogin, but I see NO extra output in any of my log files. > Anyone know how to make it actually *show* debug output? > > My pam files are look like this: > > :::::::::::::: > rsh > :::::::::::::: > #%PAM-1.0 > # For root login to succeed here with pam_securetty, "rsh" must be > # listed in /etc/securetty. > auth required pam_nologin.so > auth required pam_securetty.so > auth required pam_env.so > auth required pam_rhosts.so debug > account include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > > :::::::::::::: > rlogin > :::::::::::::: > #%PAM-1.0 > # For root login to succeed here with pam_securetty, "rlogin" must be > # listed in /etc/securetty. > auth required pam_nologin.so > auth required pam_securetty.so > auth required pam_env.so > auth sufficient pam_rhosts.so debug > auth include system-auth > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > > One other difference might be that I am using RFC2307 (NIS data stored > in LDAP), but again, it works fine on my RHEL3 systems using the same > data. > > Thanks, > > Kevin > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Paul Krizak > Sent: Thursday, August 16, 2007 9:21 AM > To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list > Subject: Re: [rhelv5-list] .rhosts / hosts.equiv + netgroup subgroups > broken? > > Works fine for me... > > [EMAIL PROTECTED] ~]$ cat /etc/hosts.equiv > [EMAIL PROTECTED] > [EMAIL PROTECTED] ~]$ ypmatch trusted_hosts netgroup > mpd.trusted_hosts > [EMAIL PROTECTED] ~]$ ypmatch mpd.trusted_hosts netgroup > mpd.andc.trusted_hosts mpd.asdc.trusted_hosts mpd.bdc.trusted_hosts > mpd.mhdc.trusted_hosts mpd.svdc.trusted_hosts > > And so on and so on. > > You sure the problem is with hosts.equiv/.rhosts? You might be facing a > > PAM issue... > > Paul Krizak 5900 E. Ben White Blvd. MS 625 > Advanced Micro Devices Austin, TX 78741 > Linux/Unix Systems Engineering Phone: (512) 602-8775 > Silicon Design Division Cell: (512) 791-0686 > > > Collins, Kevin [MindWorks] wrote: >> Hi, >> >> it would appear that using an NIS netgroup entry in the > .rhosts >> or hosts.equiv files does not work as expected in RHEL5. Any hosts >> included top-level netgroup work, but not in the sub-groups. >> >> As an example, this allows server1, server2 and server3 to rsh in: >> >> In netgroup: >> >> linux (server1,,) (server2,,) (server3,,) >> >> In .rhosts: >> >> [EMAIL PROTECTED] >> >> >> while this only allows server2 to rsh in: >> >> In netgroup: >> >> linux sub1 sub2 (server2,,) >> sub1 (server1,,) >> sub2 (server3,,) >> >> This is not the behavior I have seen in the past on previous versions > of >> RHEL (including RHEL3 where it working fine at the moment)... Has > anyone >> else seen this? I didn't find anything in bugzilla. >> >> Thanks, >> >> Kevin >> >> >> >> > ------------------------------------------------------------------------ >> _______________________________________________ >> rhelv5-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/rhelv5-list > > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list > > _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
