| Infodoc ID |
|
Synopsis |
|
Date |
| 12029 |
|
REMOTE LOGIN PSD/FAQ |
|
13 Oct 1999 |
SunService Tip Sheet for Remote Login Programs
Including telnet, rlogin, rsh, rcp, rdist, rcmd
Revision: 1.5
May 28, 1996
1.0: About Remote Login Programs
2.0: Debugging Remote Login Problems
2.1: General Debugging Advice
2.2: Performance Analyis
3.0: Common How Tos
3.1: How to Increase ptys on a SunOS Machine
3.2: How to Increase ptys on a Solaris Machine
3.3: How to Allow/Disallow Remote root Logins under SunOS
3.4: How to Allow/Disallow Remote root Logins under Solaris
3.5: How to Add a Banner to a SunOS telnet Login
3.6: How to Add a Banner to a Solaris telnet Login
3.7: How to Grant rsh/rdist/rcp Permissions
3.8: How to rdist a Directory
4.0: Some Frequently Asked Questions
4.1: General Remote Login Problems
4.2: General R-command Problems
4.3: rcp and rdist Specific Problems
5.0: Patches
5.1: Remote Login Patches for SunOS
5.2: Remote Login Patches for Solaris
6.0: Known Bugs & RFEs
7.0: References
7.1: Important man Pages
7.2: Sunsolve Documents
7.3: Sun Educational Services
7.4: Solaris Documentation
7.5: Third Party Documentation
7.6: RFCs
8.0: Supportability
9.0: Additional Support
1.0: About Remote Login Programs
This Tip Sheet documents a wide variety of information concerning the
various remote login programs supported under SunOS and Solaris. This
includes telnet, rlogin, rsh and the related r-commands, rcmd, rcp and
rdist. This Tip Sheet is intended as a guide to the most common remote
login problems. Other references which contain some documentation on
the remote login programs are noted in Section 7.0.
2.0 Debugging Remote Login Problems
2.1: General Debugging Advice
The remote login programs very rarely experience problems other than
those outlined in this Tip Sheet. If you are experiencing additional
problems, the commands etherfind (SunOS) or snoop (Solaris) may be
used to discover exactly what is occuring on the network, and the
commands trace (SunOS) or truss (Solaris) may be used to discover
exactly what the commands are doing when they fail. However, the
information that these commands provide is very technical, and not
always easy to interpret.
2.2: Performance Analysis
Problems involving remote login performance are beyond the scope of
service that SunService can provide. If you having problems with
remote login performance, consult Section 8.0 or 9.0 for where you can
get assistance from within Sun.
3.0 Common How Tos
3.1: How to Increase ptys on a SunOS Machine
You may want to increase your number of ptys to allow more people to
make remote logins to your machine at one time. The below example
increases the number of ptys to 128.
First, create a kernel with 128 ptys, by editing your kernel
configuration file (ie, /sys/sun4c/conf/GENERIC). Change the
pseudo-device line, as follows:
pseudo-device pty128
Afterwards, compile and run this kernel.
Second, go to the /dev directory and create the new pty devices:
# cd /dev
# MAKEDEV pty0 pty1 pty2 pty3 pty4 pty5 pty6 pty7
Each pty# creates 16 master-slave pairs. Thus, making 8 sets, as shown
above, results in 8 * 16 = 128 ptys.
Third, add the new pty names to /etc/ttytab, following the examples
already present. The names are tty[pqrstuvw] [0123456789abcdef],
i.e., ttyp0 - ttypf, ttyq0 - ttyqf, ..., ttyw0 - ttywf.
3.2: How to Increase ptys on a Solaris Machine
You may want to increase your number of ptys to allow more people to
make remote logins to your machine at one time.
To increase the number of ptys (pseudo-terminal devices) under
Solaris 2.3+, there are two different parameters that can be
used in the /etc/system file. The parameter pt_cnt is used to
specify the number of System V ptys are available. The parameter
npty is used to specify the number of BSD ptys are available.
Most Solaris utilities use System V ptys.
set pt_cnt=<number of System V ptys desired>
set npty=<number of BSD ptys desired>
Then do a reconfiguration reboot for the changes to take effect (e.g. boot -r
at the boot "OK" prompt).
For example to modify the system to allow 128 System V ptys and
64 BSD ptys:
set pt_cnt=128
set npty=64
3.3: How to Allow/Disallow Remote root Logins under SunOS
root login permissions are controlled by the /etc/ttytab file under
SunOS. To change root login permissions, you must modify every single
'network' line in the /etc/ttytab files.
Root access over the network is granted, if all of the network ttys
are labeled secure:
ttyp0 none network off secure
Root access over the network is denied if all of the network ttys are
labelled unsecure:
ttyp0 none network off unsecure
After making changes to the ttytab, you must HUP process 1:
# kill -HUP 1
Alternatively, you can reboot the machine.
3.4: How to Allow/Disallow Remote root Logins under Solaris
In the file /etc/default/login, there is a CONSOLE line.
If this line is commented out, then root access over the network is
granted:
#CONSOLE=/dev/console
If there is no comment in front of the CONSOLE line, root can only
login from the console.
CONSOLE=/dev/console
Changes to this file will take effect at once.
3.5: How to Add a Banner to a SunOS telnet Login
The best way to have a banner displayed before the telnet login: is to
write a wrapper program:
main ()
{
system("/bin/cat /etc/telnetbanner")
execl("/usr/etc/in.telnetd.real","/usr/etc/in.telnetd.real",(char *)0)
}
This wrapper would be compiled and installed as /usr/etc/in.telnetd, a
message would be installed into /etc/telnetbanner, and the original
in.telnetd would then be moved to in.telnetd.real.
Although this setup should work, it is not officially supported by
SunService.
3.6: How to add a Banner to a Solaris telnet Login
Under Solaris 2.4 and higher, you can add a banner by utilizing the
/etc/issue file. Edit this file to contain your banner, and it will be
read and displayed before the login prompt.
%% cat /etc/issue
** USE THIS MACHINE AT YOUR OWN RISK **
%% telnet localhost
...
UNIX(r) System V Release 4.0 (psi)
** USE THIS MACHINE AT YOUR OWN RISK **
login:
This functionality is not available in versions of Solaris earlier
than 2.4 for those cases, you might want to try the workaround
described in Section 3.5, but it is not officially supported, and may
not work.
3.7: How to Grant rsh/rdist/rcp Permissions
If an individual user wants to be able to rsh into his account without
password, or rdist or rcp into his account, he must create a .rhosts
file. This file should simply contain the name of the remote machine
which should have the rsh/rdist/rcp permissions, and also the name of
the user's account on that machine. For example:
%% cat ~/.rhosts
psi appel
The above .rhosts file would allow me to rsh, rdist or rcp to my
account from the account 'appel' on the machine 'psi'.
Root can also grant global permissions with the hosts.equiv file. This
file simply contains a list of remote machines:
%% cat /etc/hosts.equiv
psi
If a machine is listed, all users on that machine will be able to rsh,
rcp or rdist to the local machine, as long as they have accounts on
both machines with the same login name.
The above would grant this permission to the remote machine 'psi'.
The hosts.equiv man page lists other options available in that
configuration file.
3.8: How to rdist a Directory
The most common usage of rdist is to copy an entire directory
structure from one machine to another. This can be done with the
following command:
%% rdist -c directory remotemachine:/directory
In order for the above to work, rdist must be granted remote
permissions, as described in Section 3.7 above. This command may also
be set up in a distfile script, as is described in the rdist man page.
4.0 Some Frequently Asked Questions
4.1: General Remote Login Problems
Q: Why do I get one of the following errors when I try and log in to
my machine? This only occurs when many people are already logged in:
"xxx: could not grant slave pty."
"xxx: open /dev/ptmx: No such device"
A: These errors occur because your machine has run out of ptys. The
default number of ptys is 48, which will usually allow somewhere
around 30-35 users to log in. You simply need to increase the number
of ptys, and then rebuild your kernel. Sections 3.1 and 3.2 outline
how to increase the number of ptys.
Q: Why do I get the following message when I try and log in to my
Solaris machine:
"xxx: open /dev/logindmux: No such file or directory"
A: This is due to a bug in a Solaris patch which implements in-kernel
telnet. It can be corrected by adding the following line to the file
/etc/name_to_major:
logindmux 114
Afterwards, reboot the machine with the reconfigure option:
# touch /reconfigure
# reboot
When the machine comes back up, you should be able to log in
correctly.
Q: Why do I get a core dump from telnet/rlogin when I try and connect
to certain remote machines from my SunOS machine?
A: This is a known bug that occurs when a remote machine has multiple
addresses. It is fixed in the libc patch for 4.1.3 and 4.1.3_u1. See
section 5.1.1 below.
Q1: Why do the r-commands hang forever?
Q2: why do telnet/rlogin give the following error:
"connect: Connection refused"
A: in.telnetd or in.rlogind are not being started up correctly on the
machine you are trying to connect to. Make sure that inetd is running
on that machine, and make sure that the following two lines are
uncommented in the /etc/inetd.conf:
telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind
(Locations will be slightly different on a SunOS machine).
If you have to make changes to inetd.conf, because the above lines are
missing, or commented out, you must restart inetd:
# kill -HUP inetd-pid
Q: Why do I get the following errors when I try and execute a remote
login:
"Network Unreachable"
"Host Unreachable"
A: These errors imply that routing is set up incorrectly to the
machine that you are trying to access. SunService has a seperate Tip
Sheet dedicated to Routing problems.
4.2: General R-command Problems
Q1: Why do I get a 'Password:' prompt when I rsh or rlogin?
Q2: Why do I get 'Permission Denied' when I rcp or rdist?
A1: You do not have a .rhosts file on the remote machine, correctly
listing your local machine. Section 3.7 explains how to set up a
.rhosts file.
A2: You are given explicit permissions to log in to the remote
machine, but the .rhosts file does not list your correct machine name.
For example, the .rhosts might mention your local machine's long host
name (ie, psi.corp.sun.com), while the remote machine actually
indentifies it by the short name (ie, psi) alternatively, your
.rhosts might read machine-le0, while the login request actually comes
from machine-le1. You can test this by logging in to the remote
machine (supplying your password), and then examining the .rhosts
file:
%% cat .rhosts
psi.corp.sun.com appel
Afterwards, run "who", look for your own login, and see what name your
local machine is identified as:
%% who
appel pts/10 Oct 6 09:59 (psi)
In the above case, my .rhosts file reads 'psi.corp.sun.com' while the
remote machine identifies me as 'psi'. These names must match for rsh,
rcp or rdist to work. After I change my .rhosts file to reflect the
who, the logins will work correctly:
%% cat .rhosts
psi appel
(It should be noted that the remote machine determines the name for
your local machine by looking in the first entry of files, NIS, NIS+
or DNS, depending on how you have your name services set up. If you do
not like the way your remote machine is identifying your local
machine, you will need to determine which of these name services is
providing the incorrect information, and correct it.)
Q: Why do some remote sites refuse to let me connect to them via the
r-commands, complaining that they can't lookup my name?
A: This is probably because the machine you are connecting from does
not have a DNS PTR record. You should consult your DNS maps, and
verify that both A and PTR records are being propagated for the
machine in question. SunService has a document on DNS which explains
this all more in depth.
Q: Why do I get the following error when I connect to a machine via
the r-commands:
"protocol error. Connection Closed."
A: This typically occurs because the permissions on in.rlogind are
incorrectly set on the machine you are trying to connect to.
On a SunOS machine, make sure in.rlogind has the following perms:
-rwxr-xr-x 1 root staff 16384 Jan 20 1994 /usr/etc/in.rlogind
On a Solaris machine, make sure in.rlogind has the following perms:
-r-xr-xr-x 1 bin bin 10848 Jul 15 1994 /usr/sbin/in.rlogind
4.3: rcp and rdist Specific Problems
Q1: Why does rcp/rdist fail, even though permissions are set up right?
Q2: Why do I get one of the following errors when I rcp/rdist:
"stty: TCGETS: operation not supported on socket"
"stty: : Invalid argument"
A: rcp and rdist will fail if certain types of commands exist in the
.cshrc of the account on the remote machine. You can temporarily fix
this by simply moving the .cshrc on the remote machine:
%% mv ~/.cshrc ~/.cshrc.DONOTUSE
Alternatively, you can correct the .cshrc so that rcp and rdist will
work right. You must surround all stty and echo statements in the
.cshrc with an if ($?prompt) endif combination. For example, if the
following line is in your .cshrc:
stty dec
Change it to the following:
if ($?prompt) then
stty dec
endif
If this is done to all stty and echo commands, you should be able to
rcp and rdist to that account correctly.
5.0: Patches
The following is the list of all of the remote login related patches
for 4.1.3, 4.1.3_u1, 4.1.4, 5.3 and 5.4. If you are having remote
login problems, installing the patches is a good place to start,
especially if you recognize the general symptoms noted below.
In order for a machine to be stable, all of the recommended patches
should be installed as well. The list of recommended patches for your
operating system is available from sunsolve.sun.com.
5.1: Remote Login Patches for SunOS
100383-06 SunOS 4.0.3 4.1 4.1.1 4.1.2 4.1.3: rdist security and hard link
Fixes a security bug which could cause rdist to create setuid root
programs. Also fixes an rdist problem related to hard links.
100468-03 SunOS 4.1.1 4.1.2 4.1.3: rcp/rsh should use setsockopt to detec
Corrects a bug in rcp's behavior when a remote machine crashed, and
also a bug in rsh regarding processes with lots of open file
descriptors.
101673-01 SunOS 4.1.3 Point Patch: rsh hangs, talking to a heavily loaded
This point patch adds a -T (timeout) flag to rsh that can be used
when logging in to a heavily loaded machine.
101488-01 SunOS 4.1.1 4.1.2 4.1.3: TTY settings change when rlogin into a
101561-05 SunOS 4.1.3_U1: TTY settings change when rlogin into a 4.x syst
Corrects an error regarding flow control that showed up when logging
in to SunOS machine from a Solaris machine.
5.1.1: Related Patches for SunOS
100891-13 SunOS 4.1.3: international libc jumbo patch
100890-12 SunOS 4.1.3: domestic libc jumbo patch
101558-07 SunOS 4.1.3_U1: international libc jumbo patch
101759-03 SunOS 4.1.3_U1: domestic libc jumbo patch
Correct a problem where telnet, rlogin and other internet connection
programs coredump if they try and connect to a machine with multiple
A records. Please be sure to install the domestic version, and not
the international version, if you are in the US, because the
international version does not include encryption, which is
necessary for login to work correctly.
5.2: Remote Login Patches for Solaris
101494-01 SunOS 5.3: rdist will not remove remote directories
Fixes a bug where rdist -R would not remove remote directories that
no longer existed on the master.
101681-01 SunOS 5.3: telnet patch
Corrects bugs regarding pipes, and Sun/Dec interaction.
101318-75 SunOS 5.3: Jumbo patch for kernel (includes libc, lockd)
101945-36 SunOS 5.4: jumbo patch for kernel
101946-29 SunOS 5.4_x86: telnetd performance improvement
Improves telnet and rlogin performance by incorporating them into
the kernel.
6.0: Known Bugs & RFEs
There are no known open bugs or rfes on the remote login commands.
7.0 References
7.1: Important man Pages
hosts.equiv
rcmd
rcp
rdist
rlogin
rlogind
rsh
telnet
telnetd
7.2: Sunsolve Documents
There are a number of Sunsolve documents concerning remote logins.
The ones listed below either contain some additional information not
in this document, or reference some extremely rare problems.
7.2.1: FAQs
1286 Relationship between telnet and inetd.conf
7.2.2: Infodocs
2177 rlogind daemon
2189 telnetd daemon
7.2.3: SRDBs
4323 Unable to enter password upon login, rlogin, telnet, ft
4905 login or rlogin fails with: crt0: no dev zero
5114 rlogin gives "socket: permission denied" errors and abo
6253 rlogin, telnet, and rsh, command failures
7357 rsh (remote) does not execute the .login or .profile fi
7.3: Sun Educational Services
[pending]
7.4: Solaris Documentation
[pending]
7.5: Third Party Documentation
_TCP/IP Illustrated, Volume 1_, by W. Richard Stevens, published by
Addison-Wesley, ISBN #0-201-63346-9
Gives interesting information on how the telnet and rlogin protocols
work.
_TCP/IP Network Administration_, by Craig Hunt, published by O'Reilly
& Associates, ISBN #0-937175-82-X
Includes a couple of pages which give a basic run-down of the r
commands.
7.6: RFCs
RFCs are the internet-written documents that define the specifications
of many common networking programs. RFCs can be retrieved from
nic.ddn.mil, in the /rfc directory, or through WWW at
http://www.cis.ohio-state.edu/hypertext/information/rfc.html
There are a huge number of RFCs concerning telnet. Only the main spec
is listed below.
854 Telnet Protocol specification
The basic specs for the internet telnet protocol.
1282 BSD Rlogin
Definition of the BSD rlogin implementation.
8.0: Supportability
SunService is not responsible for the initial configuration of your
network, nor for performance problems related to remote logins.
We can help resolve problems where remote login programs are not
behaving correctly, but in such cases the contact must be a system
administrator who has a good understanding of the layout of your
network.
9.0: Additional Support
For initial network configuration, or for remote login performance
help, please contact your local SunService office for possible
consulting offerings. Sun's Customer Relations organization can put
you in touch with your local SunIntegration or Sales office. You can
reach Customer Relations at 800-821-4643.
Top
Sun Proprietary/Confidential: Internal Use Only
Feedback to SunSolve Team
