/etc/pam.conf의 rlogin과 rsh의 내용 살펴볼 것...
------------------------------
BSPERF204:/home/nortel <102> (nortel) % cat /etc/pam.conf
#
# ident "@(#)pam.conf 1.19 03/01/10 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
# Support for Odyssey, added by NNnspcore
bb_login auth sufficient pam_is_validation.so
bb_login auth required pam_is_authentication.so try_first_pass
bb_login account required pam_is_authentication.so
=================================================================================================
ZEUS => BSPERF204 서버 remsh 접속 불능 해결 과정
1. 일반적 Remote Shell 설정 파일의 수정
- /etc/hosts 파일에 60.11.8.111 zeus 항목 추가
# Internet host table
#
127.0.0.1 localhost
60.30.32.64 BSPERF204 loghost BSPERF204.sktelecom.com
60.30.32.61 BSPMS204 BSPMS204.sktelecom.com
60.30.32.161 BSSMS204 BSSMS204.sktelecom.com
30.53.76.8 BSPERF204-2
60.30.32.164 BusanWS1 BusanWS1.sktelecom.com
60.30.32.165 BusanWS2 BusanWS2.sktelecom.com
60.11.16.5 ntp_nms_1
60.11.27.5 ntp_nms_2
60.11.8.111 zeus 추가
2. /.rhosts 파일상 zeus 접속 허가 권한 부여
- zeus + 추가
3. rsh, rlogin 관련 실행 파일의 권한확인
- Defualt 값 유지 – 변경 사항 없슴
4. /etc/services 파일 확인 (주석처리 여부)
exec 512/tcp
login 513/tcp
shell 514/tcp cmd # no passwords used
5. /etc/inetd.conf 파일 확인 (주석처리여부)
# Shell, login, exec, comsat and talk are BSD protocols.
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind
exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
6. 위 1~5항목 설정 후 inetd 데몬 리스타트 후 비정상 동작을 보여 /etc/pam.conf 상의 rlogin, rsh 항목에 대하여 로그인 보안이 설정 여부 확인
rsh command 실행시 정상적 로그인 불가능(기존파일은 pam.conf.bak 으로 저장)을 확인하여 해당 부분을 수정
<수정내용>
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1 추가
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1 추가
#
ps. inetd 데몬 리스타트에 관한 로그는 /var/adm/messages 상에 특이 로그 남지 않음
inetd데몬을 ps -ef 커맨드를 통하여 직접 kill 수행
------------------------------
BSPERF204:/home/nortel <102> (nortel) % cat /etc/pam.conf
#
# ident "@(#)pam.conf 1.19 03/01/10 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
# Support for Odyssey, added by NNnspcore
bb_login auth sufficient pam_is_validation.so
bb_login auth required pam_is_authentication.so try_first_pass
bb_login account required pam_is_authentication.so
=================================================================================================
ZEUS => BSPERF204 서버 remsh 접속 불능 해결 과정
1. 일반적 Remote Shell 설정 파일의 수정
- /etc/hosts 파일에 60.11.8.111 zeus 항목 추가
# Internet host table
#
127.0.0.1 localhost
60.30.32.64 BSPERF204 loghost BSPERF204.sktelecom.com
60.30.32.61 BSPMS204 BSPMS204.sktelecom.com
60.30.32.161 BSSMS204 BSSMS204.sktelecom.com
30.53.76.8 BSPERF204-2
60.30.32.164 BusanWS1 BusanWS1.sktelecom.com
60.30.32.165 BusanWS2 BusanWS2.sktelecom.com
60.11.16.5 ntp_nms_1
60.11.27.5 ntp_nms_2
60.11.8.111 zeus 추가
2. /.rhosts 파일상 zeus 접속 허가 권한 부여
- zeus + 추가
3. rsh, rlogin 관련 실행 파일의 권한확인
- Defualt 값 유지 – 변경 사항 없슴
4. /etc/services 파일 확인 (주석처리 여부)
exec 512/tcp
login 513/tcp
shell 514/tcp cmd # no passwords used
5. /etc/inetd.conf 파일 확인 (주석처리여부)
# Shell, login, exec, comsat and talk are BSD protocols.
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind
exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
6. 위 1~5항목 설정 후 inetd 데몬 리스타트 후 비정상 동작을 보여 /etc/pam.conf 상의 rlogin, rsh 항목에 대하여 로그인 보안이 설정 여부 확인
rsh command 실행시 정상적 로그인 불가능(기존파일은 pam.conf.bak 으로 저장)을 확인하여 해당 부분을 수정
<수정내용>
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1 추가
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1 추가
#
ps. inetd 데몬 리스타트에 관한 로그는 /var/adm/messages 상에 특이 로그 남지 않음
inetd데몬을 ps -ef 커맨드를 통하여 직접 kill 수행