Thursday, May 24, 2012

Solaris 10 rsh password Problem

What I am asking is; 
I have a simple script which runs on "server1", these below commands, for backup. It should use the DLT tape drive connected to "server2"; 
su - oracle -c "/oracle/scripts/dbctl.sh stop" 
ufsdump 0fu sever2:/dev/rmt/0n /export/home/ 
su - oracle -c "/oracle/scripts/dbctl.sh start" 
Thus I have added this "server2" in to the /etc/hosts.equiv, /.rhosts files and created a link "#ln -s /usr/bin/remsh server2"on "server1", so that I take backups on the remote server using remsh. But on solaris 10 it gives an error message; 
DUMP: permission denied 
DUMP: Cannot connect to tape host `taiecs2' 
DUMP: The ENTIRE dump is aborted. 
because password is asked. For example; 
# rsh server2 date 
permission denied 
I get this error message I want tobe able to do this. both machines are solaris v 5.10. I did not have this problem when both machines were solaris v. 5.9. 
How can I solve this problem 
Thanks a lot best regards


First, it is highly recommended that you disable rsh / remshell - if you can 
- use ssh instead. Working as root between servers, especially using rsh is 
a very bad practice for so many security reasons. For similar reason SUID 
scripts are a bad practice, most systems don't permit it to function. 
Second, if possible, run both via cron locally on each server instead of 
remote shell. If you must control from one box, I would use sudo for the 
command (and don't require password), setup a "backup" account identity to 
perform the work 
Setup a PKI key using ssh-keygen on the box you are starting from. Copy the 
public key created on server1 to server2. Add the key to authorization and 
authorized_keys file (see man ssh or http://docs.sun.com for more help). 
Per your original question, setup /etc/hosts.equiv or .rhosts in the user's 
home directory (file should be readonly and for only the user) should 
contain user@server1 on server2 for server1 to initiate the contact. 
(However, this approach is usually not permitted by most IT security 
guidelines.) 
Douglas Pavey 
Sr Unix Administrator 
Dedicated, strategic, adept troubleshooter, mentor, counselor 
Working to make the world better than I found it.
Recommend using SSH. 
However, to get rsh working ensure the following is in place: 

/etc/hosts.allow contains list of IPs permitted for in.rshd & in.rlogind 
enable rsh & rlogin modules in /etc/pam.conf 
services svc:/network/login:rlogin & svc:/network/shell:default are 
online 
on the target machine, ~/.rhosts contains the "hostname id" of the 
source host/user. this hostname should also exist in /etc/hosts 

Hopefully, that should work! 

0 comments:

Post a Comment

 
Design by BABU | Dedicated to grandfather | welcome to BABU-UNIX-FORUM