Sunday, March 15, 2009

Passwordless RSH on Gentoo

I have an old AMD K6-III box with 128MB memory that I use as my router, firewall and media server for my XBox. Everytime I have encoded DVDs that I want to load onto the server, I use rsync to update the contents. I noticed that it was slow, even on my 100 Mb/s LAN I could get no more than a 2 MB/s transfer rate. Checking the CPU usage, I noted that sshd was using about 75% cpu time, and rsync about 25%. It seemed that my network throughput was limited by the CPU bottleneck (due to the encryption overhead of SSH, I assume). Which is why I tried to get RSH up and running on it, to see what performance increase I could get with using rsh instead of ssh.

First, let's install rsh:
root@slowpoke ~ $ emerge netkit-rsh

Start up xinetd (since rshd is started by xinetd) ...

root@slowpoke ~ $ /etc/init.d/xinetd start
 * Starting xinetd ...                                                    [ ok ]
root@slowpoke ~ $

Let's see if we can use rlogin on the same machine ...

somebody@slowpoke ~ $ rlogin localhost
localhost: Connection refused
somebody@slowpoke ~ $

So I can't rlogin, but running xinetd in debug mode shows why ...

root@slowpoke ~ $ /etc/init.d/xinetd stop 
 * Stopping xinetd ...                                                    [ ok ]
root@slowpoke ~ $ xinetd -d
.
.
.
.
09/3/16@14:23:00: CRITICAL: 6137 {init_services} no services. Exiting...
root@slowpoke ~ $

There are no services running, rlogin is disabled by default. Enable the rlogin service by editing /etc/xinetd.d/rlogin to look like the following (by changing 'disable = yes' to 'disable = no'):

service shell
{
     socket_type     = stream
     protocol        = tcp
     wait            = no
     user            = root
     group           = tty
     server          = /usr/sbin/in.rlogind
     log_on_success  = PID HOST USERID EXIT DURATION
     log_on_failure  = USERID ATTEMPT
     disable         = no
}

After restarting xinetd, we can successfully run rlogin ...

somebody@slowpoke ~ $ rlogin localhost
Password: 
Last login: Mon Mar 16 14:25:00 SAST 2009 from localhost on pts/6
somebody@slowpoke ~ $

To prevent rlogin from asking for a password, we create a .rhosts file in the user's home folder, containing the hostname from which to allow passwordless logins:

somebody@slowpoke ~ $ echo localhost > .rhosts
somebody@slowpoke ~ $

Testing rlogin again:

somebody@slowpoke ~ $ rlogin localhost
Password: 
Last login: Mon Mar 16 14:27:00 SAST 2009 from localhost on pts/6
somebody@slowpoke ~ $

So rlogin still prompts for a password, checking /var/log/messages shows the following error message:

Mar 16 14:27:00 slowpoke rlogind[6346]: PAM unable to dlopen(/lib/security/pam_rhosts_auth.so): /lib/security/pam_rhosts_auth.so: cannot open shared object file: No such file or directory

And sure enough, the file pam_rhosts_auth.so does not exist, although there is a file called pam_rhosts.so.

root@slowpoke ~ $ ls /lib/security/
pam_access.so     pam_ftp.so        pam_mkhomedir.so  pam_succeed_if.so
pam_cracklib.so   pam_group.so      pam_motd.so       pam_tally.so
pam_debug.so      pam_issue.so      pam_namespace.so  pam_time.so
pam_deny.so       pam_keyinit.so    pam_nologin.so    pam_umask.so
pam_echo.so       pam_lastlog.so    pam_permit.so     pam_unix.so
pam_env.so        pam_limits.so     pam_rhosts.so     pam_warn.so
pam_exec.so       pam_listfile.so   pam_rootok.so     pam_wheel.so
pam_faildelay.so  pam_localuser.so  pam_securetty.so  pam_xauth.so
pam_filter        pam_loginuid.so   pam_shells.so
pam_filter.so     pam_mail.so       pam_stress.so
root@slowpoke ~ $

According to the following bug report, the filename change was not captured in the corresponding configuration files. So we edit /etc/pam.d/rlogin to reflect the name change (by substituting pam_rhosts.so for pam_rhosts_auth.so):

#%PAM-1.0
# For root login to succeed here with pam_securetty, "rlogin" must be
# listed in /etc/securetty.
auth       required             pam_securetty.so
auth       sufficient           pam_rhosts.so
auth       include              system-remote-login
account    include              system-remote-login
password   include              system-remote-login
session    include              system-remote-login

And finally, success ...

somebody@slowpoke ~ $ rlogin localhost
Last login: Mon Mar 16 14:27:00 SAST 2009 from localhost on pts/6
somebody@slowpoke ~ $

Similarly, getting rsh to work, you need to enable the rshd service by editing /etc/xinetd.d/rsh to read:

service shell
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        group           = tty
        server          = /usr/sbin/in.rshd
        log_on_success  = PID HOST USERID EXIT DURATION
        log_on_failure  = USERID ATTEMPT
        disable         = no
}

and restart xinetd to activate the change. Also edit /etc/pam.d/rsh to use the rhosts.so module (remember the name change):

#%PAM-1.0
# For root login to succeed here with pam_securetty, "rsh" must be
# listed in /etc/securetty.
auth       required     pam_securetty.so

# Uncomment this and comment the following to use rhosts_auth module
auth       required     pam_rhosts.so
#auth       include     system-remote-login

account    include      system-remote-login
session    include      system-remote-login

Testing rsh ...

somebody@slowpoke ~ $ rsh localhost whoami
somebody
somebody@slowpoke ~ $

Next step was trying rsh from another machine on the local network:

somebody@grey-area ~ $ rsh slowpoke whoami
poll: protocol failure in circuit setup
somebody@grey-area ~ $

Editing /etc/xinetd.conf to enable xinetd services on your local network solved this problem. Change the line reading 

        only_from       = 127.0.0.1

to 

        only_from       = 127.0.0.1 192.168.1.0/24

by adding whatever subnet would be appropriate for your network. Restart xinetd for the change to take effect. To enable passwordless rsh from another machine on your local network involves adding the required host name to your .rhosts file ...

somebody@slowpoke ~ $ echo grey-area >> .rhosts
somebody@slowpoke ~ $

... and testing ...

somebody@grey-area ~ $ rsh slowpoke whoami
somebody
somebody@grey-area ~ $

So now that I have rsh set up, I can use rsync over rsh to synchronise my files, and now I get about 8 MB/s throughput.
Posted by meisterbrau at 3:10 PM
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About Me

meisterbrau
View my complete profile