SUSE Support

Here When You Need Us

rsh and rlogin allow user to login as a different user without password prompt

This document (7007218) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10

Situation

Non-root users are able to use rlogin and rsh to another server as another user without being prompted for a password.

/etc/pam.d/rlogin

auth    sufficient     pam_securetty.so
auth    sufficient     pam_rhosts_auth.so
auth    include        common-auth
auth    required      pam_mail.so


 

Resolution

Setting pam_securetty.so to sufficient in the auth section of the rsh or rlogin file allows authentication when the module return is PAM_SUCCESS. 

Since the module is used to allow root logins only if the user is logging in on a "secure" tty, the module will return a PAM_SUCCESS for non-root users.

DO NOT set pam_securetty.so to sufficient unless the desired result is for a non-root user to be able to login as any non-root user without being prompted for a password.

Per the man pages of pam_securetty:

For canonical usage, should be listed as a required authentication method before any sufficient authentication methods.

Default for SLES 10

/etc/pam.d/rlogin

auth     required       pam_securetty.so
auth     required       pam_nologin.so
auth     sufficient     pam_rhosts_auth.so
auth     include        common-auth
auth     required       pam_mail.so
account  include        common-account
password include        common-password
session  include        common-session

Default for SLES 11

auth     requisite      pam_nologin.so
auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]
 pam_securetty.so
auth     sufficient     pam_rhosts.so
auth     include        common-auth
auth     required       pam_mail.so
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7007218
  • Creation Date: 16-Nov-2010
  • Modified Date:28-Sep-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.