Karel Zak <kzakredhat.com>
13-Dec-2004

1) /etc/xinetd.d/rsh

	service shell
	{
		socket_type             = stream
		wait                    = no
		user                    = root
		log_on_success          += USERID
		log_on_failure          += USERID
		server                  = /usr/sbin/in.rshd
		disable                 = no
	}

2) Restart your "xinetd" daemon:

	service xinetd restart

3) /etc/securetty
Don't forget check if "rsh" (or "rlogin", ...) is there.

4) Check connection from server to client.
All r[sh | login | exec] utils use two connections. One from client to server and second from server to client.

- check you client side iptables (firewall, NAT, ...)

5) Check if you server is able to convert client IP address to hostname.

- check DNS or /etc/hosts

6) Check your ~/.rhosts

- the best file permissions are "-rw-------"
- the client hostname must be full hostname, an example:

	foo.bar.com zakkr

- for example module "pam_nologin.so" can disable login if the file /etc/nologin exists. For more details read /usr/share/doc/pam-0.77/txts/README.pam_nologin

	auth       required     pam_rhosts_auth.so 

The client-server "rsh" protocol is not designed for other authentication than by .rhost files. For example pam_stack.so in section "auth" can corrupt the client/server connection if the "login" program sends password prompt to client. If you need authentication by password use "rlogin" or "ssh".

II. Notes

1) "rsh" with and without <command> are not same commands

"/usr/bin/rsh <host>" = is same as "rlogin <host>". It means you need to enabled "rlogin" on server!
"/usr/bin/rsh <host> <command> = this is normal "rsh"

2) In the Red Hat distributions you can found kerberosized versions of "rsh" (or "rlogin", ...).

"rsh" without exact path can be interpreted as "/usr/kerberos/bin/rsh".

III. Limits

1) The number of privileged ports is limited. The rsh (or rlogin, rcp, ...) uses privileged ports 512-1023. If all ports are used there is no space for a new connection. To check your server's ports status do:

	netstat -n --inet

2) TCP/IP connections doesn't end instantly but uses the TIME_WAIT state. The timeout of this state is cca 60s. It's possible that all your reserved ports are in TIME_WAIT state if you use connect and disconnect to server very very often.

IV. Troubleshooting

1) Check /var/log/messages. You can found there a lot of interesing information.

2) Your friend is "strace" program.

a) client:

		strace -f -o rsh-client.strace /usr/bin/rsh <host> <command>

Don't forget to user the "-f: option, it's important.

b) server:

- create shell script "/root/rsh-strace.sh"

		#!/bin/bash
		/usr/bin/strace -f -o /tmp/rsh-server.trace /usr/sbin/in.rshd

- change your /etc/xinetd.d/rsh

		service shell
		{
			socket_type             = stream
			wait                    = no
			user                    = root
			log_on_success          += USERID
			log_on_failure          += USERID
			server                  = /root/rsh-strace.sh
						#/usr/sbin/in.rshd
			disable                 = no
		}

The "server" option should be the path to the strace script.

- restart xinetd daemon

3) Reports bugs to http://bugzilla.redhat.com
It is a good idea to append the strace output to your bug report.