LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Fwd: rsh and firewall
From:	Honest Guvnor <[log in to unmask]>
Reply To:	Honest Guvnor <[log in to unmask]>
Date:	Wed, 21 Jan 2009 12:52:00 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (55 lines)

On Wed, Jan 21, 2009 at 11:06 AM, Faye Gibbins
<[log in to unmask]> wrote:

>  Yes rsh is a pain to setup. Please, please, please think about either:
>
> ssh

We are having some problems with ssh also. What we need is to have the
compute nodes passwordless to the host and each other. Unfortunately,
when we use ssh to connect from outside to the host and then onto a
node (there is no access to the nodes except via the host) the keys
setup for host+nodes do not work. Setting up sets of keys for all the
machines that might be used to access the host does not seem right. Is
there an rsh-type solution of just entries/keys for the host+nodes?

> or kerberosized rsh.

We were starting first with the simple solution. There is no intention
of using rsh to connect from outside to the host. As much security as
we can find is disabled on the compute nodes to avoid problems for
people wanting to compute and so anyone that can access the host has
open access to the nodes. However, we obviously want normal security
levels on the host for people connecting from outside.

> Check that your hosts.allow file is setup correctly on the server and that
> is can resolve properly,

Both allow and deny are empty. We tried ALL: ALL but it made no difference.

> also that rsh can open a channel back from the server to the client (yes this does
> happen).

I believe this is a significant possibility. Can you suggest a quick
route to find out what is happening, what ports are being used and
other relevant information?

> Comparing the setup on horst2 to that on meyer should show what the
> differnce is.

There is no difference in behaviour although one is an SL5.1/x86_64
machine and the other is an SL5.2/i386. Neither machine can rsh to the
other without disabling their own firewall.

We had briefly looked at a 5 year old Suse machine that had rsh
working. Rlogin works with no problems. Rsh:

[andy@meyer ~]$ /usr/bin/rsh -l andy dirac date
poll: protocol failure in circuit setup
andy@dirac:~> rsh -l andy meyer date
Wed Jan 21 12:40:21 CET 2009

Again, the problem seems to be with the firewall on the client machine.

Thanks for the input.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV