My new company is using rsh to connect to remote machines and run some scripts. We have a problem where we cannot connect from one machine to another. I am trying to find out what ports rsh is using. I have looked in /etc/services file and there are a bunch listed. Looking at the file it looks to me like rsh is using ports 513/514 or 543/544.

Can someone verify this for me?

Command to rsh:
rsh server_name -l account_name /script/script.ksh

Gets following error:
stderr=server_name: Permission denied.
rsh: can't establish connection.

On both of the servers involved both server names are in the .rhost files with the correct user.

Any help would be great.

A handy list of port numbers, from IANA:
http://www.iana.org/assignments/port-numbers

And are the names of the servers specified somewhere (DNS, /etc/hosts, etc.)? You say they're specified in the .rhost files, but could be trying to do a reverse-lookup by FQDN. Just a thought.

And another thought...is this new company crazy? RSH in 2010? You could/should easily use SSH to do this.

Tell me about it. Only been here for a month now and don't want to make any crazy changes just yet. The use of rsh will be gone early 2011 if I have my way LOL.

In regards to FQDN these machines are in DNS and dig resolves the names so don't think that is the issue. I do think it is a firewall issue but thought I would be proactive and do some searching since I have never used rsh (before my time, I guess LOL).

The end user cannot telnet server_name 513/514/543/544 right now I do believe it is a firewall issue.

I think you hit it on the head, there. Since you can dig and get proper name resolution, but can't telnet to those ports, chances are it's blocked somehow. Just on a "you probably checked it, but have to ask" vein, can you rsh locally on that box? Check IP tables? Enable the service? On my openSUSE systems, rsh-server is disabled by default, and you have to edit the /etc/xinetd.d/rsh file, and set "disable=no", then bounce the xinetd service. And are you running SElinux by any chance?

Got a command to do this? I am assuming it is rsh localhost pwd or something to that fashion.

IP tables is off.

These are the listed xinetd based services and their status:

xinetd based services:
eklogin: off
ekrb5-telnet: off
klogin: off
krb5-telnet: on
kshell: off
rexec: off
rlogin: on
rsh: on

/etc/xinetd.d/rsh file (no changes were made):
service shell
{
disable = no
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rshd
}

SELINUX=disabled

Kind of assumed you'd have checked all of the above already, but sometimes it's the obvious things that get overlooked.

Try "rsh -K -l <username> localhost", and see if that goes. You can also try it with a "-d" to turn on socket-debugging, then check your /var/log/messages file for messages.

rsh -l username localhost
connect to address 127.0.0.1 port 543: Connection refused
Trying krb4 rlogin...
connect to address 127.0.0.1 port 543: Connection refused
trying normal rlogin (/usr/bin/rlogin)
Password:

It does not like the -k or -K options:

usage: rsh host [ -PN / -PO ] [ -l login ] [ -n ] [ -x ] [ -f / -F] command
OR rsh [ -PN / -PO ] [ -l login ] [-n ] [ -x ] [ -f / -F ] host command

I thought by using the .rhosts file you did not have to specify a password?

I think that's right, but it's been so long since I've used RSH, I'm not sure. The -K option on openSUSE's rsh client disables Kerberos checking...what version/distro on your workstation/server?

Was told by network team via screen shot that the ports are opened.

I am seeing in the messages file this error when the end user tries to connect:

Nov 30 16:49:34 server xinetd[11964]: START: shell pid=12062 from=XXX.XXX.XXX.XXX
Nov 30 16:49:34 server rshd[12062]: rsh denied to Remote_server_username@testedi.XXX.XXXX.com as user_account: Permission denied.
Nov 30 16:49:34 server xinetd[11964]: EXIT: shell status=1 pid=12062 duration=0(sec)

Note user_account and Remote_server_username are different. Don't know if that is where the problem is.

Could be. In the version of RSH that I have on openSUSE, I can specify both the host and user name manually. Don't know if your version of RSH can, but it's worth a try. Might want to try rlogin as well, to see if that gives you any more verbose messages.

Found the problem. The .rhosts file had 100+ entries so it was easy to miss until I organized the list by server/user. Once this was done it was noticed that the user was missing.

Original entry:
test01.XXX.XXX.com User01
test01.XXX.XXX.com

Missing Entry
test01.XXX.XXX.com User02

Problem now is it works sometimes and then does not work other times. It is like the remote machine that is trying to rsh to the server has some sort of cache going on or something, like the session never died off properly and so when they try to rsh again it gives permission denied. They wait 5 minutes and then it works again. No other machine is having this issue using rsh into the server.

Any thoughts LOL?

Made two changes that seems to have fixed the problem. We will see in a couple of hours or tomorrow if they worked because after some time has passed it seems to stop working.


Latest changes:
made the .rhosts file 644 permissions.
added the test server to the hosts.equiv file in /etc.

Wish me luck with this old a#$ crap.

I have created a cron job to touch the .rhost file once a night and for some strange reason this is working. If anyone has any ideas on why this works please let me know.

Discovered this when the machine locked my user out. Once I was locked out I edited the file to make sure I was there and thus this updated the timestamp on the file and then I was able to get in using rsh commands.

I had the same problem getting a permission denied error. I was able to fix this by creating a file /etc/hosts.equiv with all the hostnames and usernames.

Hope this helps!