FW: [Slightly OT] 6.1 Root Login troubles
Ward William E PHDN
wardwe at nswcphdn.navy.mil
Mon Jun 19 12:22:40 PDT 2000
This is slightly OT, because it doesn't concern one of my actual Beowulf
nodes, and instead is one of the workstations I've set aside, but it's close
to the issues that concern Beowulf security, so I thought I'd throw it out
here to be looked at.
One of my workstations recently had to be reinstalled (my fault... I
accidentally hit the power switch during an upgrade from 5.2 to 6.1) and so,
after a complete install, I needed to reset the machine's login
capabilities, specifically, I need to allow root to login and telnet in.
Since the machine is NOT in my cluster, I don't want to allow standard rsh
or ssh, but I do want to allow rlogin (yes, I know, I should be using ssh
and slogin) since it can be seen by anyone on the internal network (it's on
a secure network, but is still much more exposed than in a cluster). By
using my own knowledge, I was able to modify the /etc/pam.d/rlogin file to
allow root logins... but I ran into a problem. If I set up pam to be
permissive, it will allow normal users to simply type their name without
requiring a password (during LOGIN, not rlogin... I'm talking someone at the
console, here). Root needs to have the root password, but can login
normally... I reverted to the original /etc/pam.d/rlogin file, and modified
it to be less permissive, and voila, mission accomplished. Normal users can
login as normal, and root can do an rlogin... BUT, there's a catch. When
root does an rlogin I get the following:
wew at otherhost> su
[root at otherhost]# rlogin pigpen
[root at pigpen]#
In other words, it asks for the password twice (but only for root) before
accepting the password and letting me in. If I don't properly enter the
password, I cannot login. While this is an annoyance for a user, it's not
an unlivable situation, except that I also have a cron job that goes to
every one of my machines to do remote backups (Veritas Netbackup) and this
breaks those scripts for pigpen (and since they are commercial, I can't
I finally broke down (when all else fails, read the manual) and checked the
Beowulf howto... and I'm exactly correct as near as I can tell with what
I've done, i.e., I'm "by the book", if I was trying to open up the node but
not putting in the remote hosts in my /etc/hosts.equiv nor putting in
.rhosts files for root, which would imply that I should only require the
user to login.
Oh, and since it's an obvious question, the reason I can do a restore is
that Netbackup can't logon to the machine... a perfect Catch-22. The
backups are perfect, I just can get them to the machine that needs them.
This all worked properly under 5.2, but doesn't work under 6.1 with the
fresh install... anyone have any ideas? Note, I haven't upgraded any
packages; this machine doesn't have internet access, but I can get the rpms
onto it if that's the final verdict.
Sorry for straying somewhat off-topic, but thanks in advance.
More information about the Beowulf