When install/upgrade netbackup agent for solaris 10 remotely, one needs enable rlogin/rsh.
Symantec has a tech note about this:
http://www.symantec.com/business/support/index?page=content&id=HOWTO19935
Basically, it enable rlogin by "inetadm enable svc:/network/login:rlogin" and created $HOME/.rhosts file with proper entries.
However, when a solaris 10 client is hardened using JASS /CIS or similar tools, above tech note will not be enough, following steps are needed to enable rlogin (without prompting password) and rsh execution :
(1) Enable svc:/network/shell:default if it is not enabled;
(2) If there are tcp wrapper (/etc/hosts.allow, hosts.deny) or IP filter, enable rsh or disable these host based firewall rules;
(3) Check following two entries in /etc/pam.conf:
rlogin auth sufficient pam_rhosts_auth.so.1
rsh auth sufficient pam_rhosts_auth.so.1
They are usually commented out by the hardening script and need be uncommented in order to allow rsh.
For example, they should look like this if you need allow rsh:
# rsh service (explicit because of pam_rhost_auth,
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
......
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
Just FYI, if you accidentally comment out those "required" lines, you would get "Insufficient credentials" error when test rsh from a remote host:
master-servert# rsh testhost1 ls
Insufficient credentials.
Before kick off the remote installation, do a simple test from netbackup master server, such as:
master-server# rsh <client-hostname> ls /usr
Above command should successfully list all files in /usr directory on the remote client;
After installation/upgrade of netbackup client, undo all the changes mentioned above to disable rsh.
Monday, June 11, 2012
Subscribe to:
Posts (Atom)