From owner-freebsd-stable Mon Oct 16 13:42:54 2000 Delivered-To: freebsd-stable@freebsd.org Received: from lerami.lerctr.org (lerami.lerctr.org [207.158.72.11]) by hub.freebsd.org (Postfix) with ESMTP id 6CDCF37B66C for ; Mon, 16 Oct 2000 13:42:49 -0700 (PDT) Received: (from ler@localhost) by lerami.lerctr.org (8.11.1/8.11.1/20000901) id e9GKgmx15249 for freebsd-stable@freebsd.org; Mon, 16 Oct 2000 15:42:48 -0500 (CDT) (envelope-from ler) Date: Mon, 16 Oct 2000 15:42:47 -0500 From: Larry Rosenman To: freebsd-stable@freebsd.org Subject: Re: turning off rcmd is premature Message-ID: <20001016154247.A14929@lerami.lerctr.org> References: <01C0351A.45CBF470.ggross@symark.com> <20001014154131.E13848@citusc17.usc.edu> <14827.26524.933168.86478@onceler.kciLink.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.10i In-Reply-To: <14827.26524.933168.86478@onceler.kciLink.com>; from khera@kciLink.com on Mon, Oct 16, 2000 at 04:39:56PM -0400 X-Mailer: Mutt http://www.mutt.org/ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The other way is to make pam_accept.so the required opt, and filter the RSH ports. It really is annoying, and NON-Obvious to a newbie. And the logging is annoying at best. Larry * Vivek Khera [001016 15:40]: > >>>>> "KK" == Kris Kennaway writes: > > KK> Removing 1 character from inetd.conf and typing "kill -HUP `cat > KK> /var/run/inetd.pid`" is all thats required to enable a service again > KK> for your system, if you're one of those people who need or want to use > KK> one of them. Thats not a big task. > > No; the following is required: > > fix /etc/inetd.conf > fix /etc/pam.conf > possibly fix /etc/hosts.allow > > then HUP inetd. > > The fix to /etc/pam.conf is not obvious. The following is what one > would *expect* to work, but does not. One must revert back to the > prior pam.conf line to make it work. The error reported from pam is > "Conversation error": > > rshd auth required pam_unix.so try_first_pass > > this, however, does work: > > rshd auth sufficient pam_deny.so > > but logs a warning in /var/log/messages prior to allowing the access. > > But I still think that before these services were shut off by default, > the completion of functionality under ssh should have been done, ie, > rcmd(3) should be ssh-aware. > > -- > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Vivek Khera, Ph.D. Khera Communications, Inc. > Internet: khera@kciLink.com Rockville, MD +1-301-545-6996 > GPG & MIME spoken here http://www.khera.org/~vivek/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 (voice) Internet: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message