Subject : Remote Login Tip Description : . Tip Sheet for Remote Login Programs Including telnet, rlogin, rsh, rcp, rdist, rcmd . Section 1.0: About Remote Login Programs 2.0: Debugging Remote Login Problems 2.1: General Debugging Advice 2.2: Performance Analyis 3.0: Common How Tos 3.1: How to Increase ptys on a SunOS Machine 3.2: How to Increase ptys on a Solaris Machine 3.3: How to Allow/Disallow Remote root Logins under SunOS 3.4: How to Allow/Disallow Remote root Logins under Solaris 3.5: How to Add a Banner to a SunOS telnet Login 3.6: How to Add a Banner to a Solaris telnet Login 3.7: How to Grant rsh/rdist/rcp Permissions 3.8: How to rdist a Directory 4.0: Some Frequently Asked Questions 4.1: General Remote Login Problems 4.2: General R-command Problems 4.3: rcp and rdist Specific Problems 5.0: Patches 5.1: Remote Login Patches for SunOS 5.2: Remote Login Patches for Solaris . Content 1.0: About Remote Login Programs This Tip Sheet documents a wide variety of information concerning the various remote login programs supported under SunOS and Solaris. This includes telnet, rlogin, rsh and the related r-commands, rcmd, rcp and rdist. This Tip Sheet is intended as a guide to the most common remote login problems. Other references which contain some documentation on the remote login programs are noted in Section 7.0. 2.0 Debugging Remote Login Problems 2.1: General Debugging Advice The remote login programs very rarely experience problems other than those outlined in this Tip Sheet. If you are experiencing additional problems, the commands etherfind (SunOS) or snoop (Solaris) may be used to discover exactly what is occuring on the network, and the commands trace (SunOS) or truss (Solaris) may be used to discover exactly what the commands are doing when they fail. However, the information that these commands provide is very technical, and not always easy to interpret. 2.2: Performance Analysis Problems involving remote login performance are beyond the scope of service that SunService can provide. If you having problems with remote login performance, consult Section 8.0 or 9.0 for where you can get assistance from within Sun. 3.0 Common How Tos 3.1: How to Increase ptys on a SunOS Machine You may want to increase your number of ptys to allow more people to make remote logins to your machine at one time. The below example increases the number of ptys to 128. First, create a kernel with 128 ptys, by editing your kernel configuration file (ie, /sys/sun4c/conf/GENERIC). Change the pseudo-device line, as follows: pseudo-device pty128 Afterwards, compile and run this kernel. Second, go to the /dev directory and create the new pty devices: # cd /dev # MAKEDEV pty0 pty1 pty2 pty3 pty4 pty5 pty6 pty7 Each pty# creates 16 master-slave pairs. Thus, making 8 sets, as shown above, results in 8 * 16 = 128 ptys. Third, add the new pty names to /etc/ttytab, following the examples already present. The names are tty[pqrstuvw] [0123456789abcdef], i.e., ttyp0 - ttypf, ttyq0 - ttyqf, ..., ttyw0 - ttywf. 3.2: How to Increase ptys on a Solaris Machine You may want to increase your number of ptys to allow more people to make remote logins to your machine at one time. To increase the number of ptys (pseudo-terminal devices) under Solaris 2.3, 2.4, and 2.5, two parameters MUST be entered into, or modified in, the /etc/system file: set pt_cnt=set npty= We also recommend at 2.4and 2.5, that you also add or modify the following two parameters in the /etc/system file: set sad_cnt=<2x number specified in pt_cnt> set nautopush= Then do a reconfiguration reboot for the changes to take effect (e.g. boot -r at the boot "OK" prompt). For example to set to allowing 128 ptys: set pt_cnt=128 set npty=128 set sadcnt=256 set nautopush=128 pt_cnt sets the number of pty's for System V, while npty sets the number of pty's for BSD. sadcnt and nautopush are STREAMS parameters and are needed to support additional users and network resources (in particular when using NTS terminal server rtelnet). sadcnt is the number of streams addressable devices nautopush is the number of streams autopush entries In general: nautopush should be the same as pt_cnt. sadcnt should be 2x number of nautopush. 3.3: How to Allow/Disallow Remote root Logins under SunOS root login permissions are controlled by the /etc/ttytab file under SunOS. To change root login permissions, you must modify every single 'network' line in the /etc/ttytab files. Root access over the network is granted, if all of the network ttys are labeled secure: ttyp0 none network off secure Root access over the network is denied if all of the network ttys are labelled unsecure: ttyp0 none network off unsecure After making changes to the ttytab, you must HUP process 1: # kill -HUP 1 Alternatively, you can reboot the machine. 3.4: How to Allow/Disallow Remote root Logins under Solaris In the file /etc/default/login, there is a CONSOLE line. If this line is commented out, then root access over the network is granted: #CONSOLE=/dev/console If there is no comment in front of the CONSOLE line, root can only login from the console. CONSOLE=/dev/console Changes to this file will take effect at once. 3.5: How to Add a Banner to a SunOS telnet Login The best way to have a banner displayed before the telnet login: is to write a wrapper program: main () { system("/bin/cat /etc/telnetbanner") execl("/usr/etc/in.telnetd.real","/usr/etc/in.telnetd.real",(char *)0) } This wrapper would be compiled and installed as /usr/etc/in.telnetd, a message would be installed into /etc/telnetbanner, and the original in.telnetd would then be moved to in.telnetd.real. Although this setup should work, it is not officially supported by SunService. 3.6: How to add a Banner to a Solaris telnet Login Under Solaris 2.4 and higher, you can add a banner by utilizing the /etc/issue file. Edit this file to contain your banner, and it will be read and displayed before the login prompt. %% cat /etc/issue ** USE THIS MACHINE AT YOUR OWN RISK ** %% telnet localhost ... UNIX(r) System V Release 4.0 (psi) ** USE THIS MACHINE AT YOUR OWN RISK ** login: This functionality is not available in versions of Solaris earlier than 2.4 for those cases, you might want to try the workaround described in Section 3.5, but it is not officially supported, and may not work. 3.7: How to Grant rsh/rdist/rcp Permissions If an individual user wants to be able to rsh into his account without password, or rdist or rcp into his account, he must create a .rhosts file. This file should simply contain the name of the remote machine which should have the rsh/rdist/rcp permissions, and also the name of the user's account on that machine. For example: %% cat ~/.rhosts psi appel The above .rhosts file would allow me to rsh, rdist or rcp to my account from the account 'appel' on the machine 'psi'. Root can also grant global permissions with the hosts.equiv file. This file simply contains a list of remote machines: %% cat /etc/hosts.equiv psi If a machine is listed, all users on that machine will be able to rsh, rcp or rdist to the local machine, as long as they have accounts on both machines with the same login name. The above would grant this permission to the remote machine 'psi'. The hosts.equiv man page lists other options available in that configuration file. 3.8: How to rdist a Directory The most common usage of rdist is to copy an entire directory structure from one machine to another. This can be done with the following command: %% rdist -c directory remotemachine:/directory In order for the above to work, rdist must be granted remote permissions, as described in Section 3.7 above. This command may also be set up in a distfile script, as is described in the rdist man page. 4.0 Some Frequently Asked Questions 4.1: General Remote Login Problems Q: Why do I get one of the following errors when I try and log in to my machine? This only occurs when many people are already logged in: "xxx: could not grant slave pty." "xxx: open /dev/ptmx: No such device" A: These errors occur because your machine has run out of ptys. The default number of ptys is 48, which will usually allow somewhere around 30-35 users to log in. You simply need to increase the number of ptys, and then rebuild your kernel. Sections 3.1 and 3.2 outline how to increase the number of ptys. Q: Why do I get the following message when I try and log in to my Solaris machine: "xxx: open /dev/logindmux: No such file or directory" A: This is due to a bug in a Solaris patch which implements in-kernel telnet. It can be corrected by adding the following line to the file /etc/name_to_major: logindmux 114 Afterwards, reboot the machine with the reconfigure option: # touch /reconfigure # reboot When the machine comes back up, you should be able to log in correctly. Q: Why do I get a core dump from telnet/rlogin when I try and connect to certain remote machines from my SunOS machine? A: This is a known bug that occurs when a remote machine has multiple addresses. It is fixed in the libc patch for 4.1.3 and 4.1.3_u1. See section 5.1.1 below. Q1: Why do the r-commands hang forever? Q2: why do telnet/rlogin give the following error: "connect: Connection refused" A: in.telnetd or in.rlogind are not being started up correctly on the machine you are trying to connect to. Make sure that inetd is running on that machine, and make sure that the following two lines are uncommented in the /etc/inetd.conf: telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind (Locations will be slightly different on a SunOS machine). If you have to make changes to inetd.conf, because the above lines are missing, or commented out, you must restart inetd: # kill -HUP inetd-pid Q: Why do I get the following errors when I try and execute a remote login: "Network Unreachable" "Host Unreachable" A: These errors imply that routing is set up incorrectly to the machine that you are trying to access. SunService has a seperate Tip Sheet dedicated to Routing problems. 4.2: General R-command Problems Q1: Why do I get a 'Password:' prompt when I rsh or rlogin? Q2: Why do I get 'Permission Denied' when I rcp or rdist? A1: You do not have a .rhosts file on the remote machine, correctly listing your local machine. Section 3.7 explains how to set up a .rhosts file. A2: You are given explicit permissions to log in to the remote machine, but the .rhosts file does not list your correct machine name. For example, the .rhosts might mention your local machine's long host name (ie, psi.corp.sun.com), while the remote machine actually indentifies it by the short name (ie, psi) alternatively, your .rhosts might read machine-le0, while the login request actually comes from machine-le1. You can test this by logging in to the remote machine (supplying your password), and then examining the .rhosts file: %% cat .rhosts psi.corp.sun.com appel Afterwards, run "who", look for your own login, and see what name your local machine is identified as: %% who appel pts/10 Oct 6 09:59 (psi) In the above case, my .rhosts file reads 'psi.corp.sun.com' while the remote machine identifies me as 'psi'. These names must match for rsh, rcp or rdist to work. After I change my .rhosts file to reflect the who, the logins will work correctly: %% cat .rhosts psi appel (It should be noted that the remote machine determines the name for your local machine by looking in the first entry of files, NIS, NIS+ or DNS, depending on how you have your name services set up. If you do not like the way your remote machine is identifying your local machine, you will need to determine which of these name services is providing the incorrect information, and correct it.) Q: Why do some remote sites refuse to let me connect to them via the r-commands, complaining that they can't lookup my name? A: This is probably because the machine you are connecting from does not have a DNS PTR record. You should consult your DNS maps, and verify that both A and PTR records are being propagated for the machine in question. SunService has a document on DNS which explains this all more in depth. Q: Why do I get the following error when I connect to a machine via the r-commands: "protocol error. Connection Closed." A: This typically occurs because the permissions on in.rlogind are incorrectly set on the machine you are trying to connect to. On a SunOS machine, make sure in.rlogind has the following perms: -rwxr-xr-x 1 root staff 16384 Jan 20 1994 /usr/etc/in.rlogind On a Solaris machine, make sure in.rlogind has the following perms: -r-xr-xr-x 1 bin bin 10848 Jul 15 1994 /usr/sbin/in.rlogind 4.3: rcp and rdist Specific Problems Q1: Why does rcp/rdist fail, even though permissions are set up right? Q2: Why do I get one of the following errors when I rcp/rdist: "stty: TCGETS: operation not supported on socket" "stty: : Invalid argument" A: rcp and rdist will fail if certain types of commands exist in the .cshrc of the account on the remote machine. You can temporarily fix this by simply moving the .cshrc on the remote machine: %% mv ~/.cshrc ~/.cshrc.DONOTUSE Alternatively, you can correct the .cshrc so that rcp and rdist will work right. You must surround all stty and echo statements in the .cshrc with an if ($?prompt) endif combination. For example, if the following line is in your .cshrc: stty dec Change it to the following: if ($?prompt) then stty dec endif If this is done to all stty and echo commands, you should be able to rcp and rdist to that account correctly. 5.0: Patches The following is the list of all of the remote login related patches for 4.1.3, 4.1.3_u1, 4.1.4, 5.3 and 5.4. If you are having remote login problems, installing the patches is a good place to start, especially if you recognize the general symptoms noted below. In order for a machine to be stable, all of the recommended patches should be installed as well. The list of recommended patches for your operating system is available from sunsolve1.sun.com. 5.1: Remote Login Patches for SunOS 100383-06 SunOS 4.0.3 4.1 4.1.1 4.1.2 4.1.3: rdist security and hard link Fixes a security bug which could cause rdist to create setuid root programs. Also fixes an rdist problem related to hard links. 100468-03 SunOS 4.1.1 4.1.2 4.1.3: rcp/rsh should use setsockopt to detec Corrects a bug in rcp's behavior when a remote machine crashed, and also a bug in rsh regarding processes with lots of open file descriptors. 101673-01 SunOS 4.1.3 Point Patch: rsh hangs, talking to a heavily loaded This point patch adds a -T (timeout) flag to rsh that can be used when logging in to a heavily loaded machine. 101488-01 SunOS 4.1.1 4.1.2 4.1.3: TTY settings change when rlogin into a 101561-05 SunOS 4.1.3_U1: TTY settings change when rlogin into a 4.x syst Corrects an error regarding flow control that showed up when logging in to SunOS machine from a Solaris machine. 5.1.1: Related Patches for SunOS 100891-13 SunOS 4.1.3: international libc jumbo patch 100890-12 SunOS 4.1.3: domestic libc jumbo patch 101558-07 SunOS 4.1.3_U1: international libc jumbo patch 101759-03 SunOS 4.1.3_U1: domestic libc jumbo patch Correct a problem where telnet, rlogin and other internet connection programs coredump if they try and connect to a machine with multiple A records. Please be sure to install the domestic version, and not the international version, if you are in the US, because the international version does not include encryption, which is necessary for login to work correctly. 5.2: Remote Login Patches for Solaris 101494-01 SunOS 5.3: rdist will not remove remote directories Fixes a bug where rdist -R would not remove remote directories that no longer existed on the master. 101681-01 SunOS 5.3: telnet patch Corrects bugs regarding pipes, and Sun/Dec interaction. 101318-75 SunOS 5.3: Jumbo patch for kernel (includes libc, lockd) 101945-36 SunOS 5.4: jumbo patch for kernel 101946-29 SunOS 5.4_x86: telnetd performance improvement Improves telnet and rlogin performance by incorporating them into the kernel. Revision History ÀÛ¼ºÀÏÀÚ : 96.06.11 ÀÛ¼ºÀÚ : À̹ÎÈ£ ¼öÁ¤ÀÏÀÚ : ¼öÁ¤ÀÚ