How to configure rsh and rlogin on CentOS/RHEL 7

Basics

The rsh and rlogin services enable to respectively execute a command and login from a remote host. It has been deprecated in favor of the ssh service which offers more security.

Depending on your needs, you may choose to skip the configuration of some of the services. For example, you may configure rsh but not rlogin.

Configure the rsh service on the server

1. Install the package

# yum -y install rsh-server

2. Configure the service to start at system boot. The rsh service is handled by systemd through the dedicated rsh socket.

# systemctl enable rsh.socket --now

3. Configure the dynamic firewall: The rsh service listens on the dedicated port 514/TCP. The firewall must be configured to accept incoming connections to this port.

# firewall-cmd --permanent --add-port=514/tcp
# firewall-cmd --reload

Alternately, on CentOS/RHEL 7.3 and later, you may create a dedicated service as shown below:

# firewall-cmd --permanent --new-service=rsh-server
# firewall-cmd --permanent --service=rsh-server --set-description="rsh server"
# firewall-cmd --permanent --service=rsh-server --add-port=514/tcp
# firewall-cmd --permanent --add-service=rsh-server
# firewall-cmd --reload

4. Create and populate the ~/.rhosts file for every necessary user: The rsh service relies on file ~/.rhosts to enable login without password. This file contains hostname user pairs (one per line), as shown in the example below:

[localuser@localhost] $ cat ~/.rhosts
remotehost  remoteuser
+           root

In the example above, we allow connection to our local account (user localuser on host localhost) for user remoteuser defined on remote host remotehost. Also, we allow connection to our local account (user localuser on host localhost) for remote user root from any host (indicated by using +).

Please note that the .rhosts file must be read-only or not accessible for the group and others, otherwise rsh will return with Permision denied error. Run the following command to setup the rights properly:

$ chmod 644 ~/.rhosts

5. If necessary, configure access to the root account: In order to be able to connect to the root local account, add the following entry to /etc/securetty.

# echo "rsh" >> /etc/securetty

In case SELinux is enabled on your system, make sure that the SELinux context is properly set up, by running the following command after having populated the /root/.rhosts file:

# restorecon -R /root/.rhosts

Failing to do so would result in the following message being displayed by the audit2why -a command upon connection attempt:

type=AVC msg=audit(1489590975.216:500): avc:  denied  { getattr } for  pid=4891 comm="in.rshd" path="/root/.rhosts" dev="dm-0" ino=8588056 scontext=system_u:system_r:rshd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
    Was caused by:
        Missing type enforcement (TE) allow rule.
        You can use audit2allow to generate a loadable module to allow this access.

Configure rsh on the client

1. Install the package:

# yum -y install rsh

2. Configure the dynamic firewall: The rsh client, upon establishing a connection to the rsh server, uses dynamic TCP port allocation in the range 512:1023. The firewall must be configured to accept incoming connections to these ports.

# firewall-cmd --permanent --add-port=512-1023/tcp
# firewall-cmd --reload

Alternately, on Red Hat Linux Enterprise 7.3 and later, you may create a dedicated service as shown below:

# firewall-cmd --permanent --new-service=rsh-client
# firewall-cmd --permanent --service=rsh-client --set-description="rsh client"
# firewall-cmd --permanent --service=rsh-client --add-port=512-1023/tcp
# firewall-cmd --permanent --add-service=rsh-client
# firewall-cmd --reload

Configure the login service on the server

1. Install the package:

# yum -y install rsh-server

2. Configure the service to start at system boot: The rlogin service is handled by systemd through the dedicated rlogin socket.

# systemctl enable rlogin.socket --now

3. Configure the dynamic firewall: The rlogin service listens on the dedicated port 513/TCP. The firewall must be configured to accept incoming connections to this port.

# firewall-cmd --permanent --add-port=513/tcp
# firewall-cmd --reload

Alternately, on Red Hat Linux Enterprise 7.3 and later, you may create a dedicated service as shown below:

# firewall-cmd --permanent --new-service=rlogin-server
# firewall-cmd --permanent --service=rlogin-server --set-description="rlogin server"
# firewall-cmd --permanent --service=rlogin-server --add-port=513/tcp
# firewall-cmd --permanent --add-service=rlogin-server
# firewall-cmd --reload

4. (Optional) Create and populate the ~/.rhosts file for every necessary user: The rlogin service relies on file ~/.rhosts to enable login without password. If this file doesn’t exist, the password will be asked for. This file contains hostname user pairs (one per line), as shown in the example below:

[localuser@localhost] $ cat ~/.rhosts
remotehost  remoteuser
+           root

In the example above, we allow connection to our local account (user localuser on host localhost) for user remoteuser defined on remote host remotehost. Also, we allow connection to our local account (user localuser on host localhost) for remote user root from any host (indicated by using +).

Please note that the .rhosts file must be read-only or not accessible for the group and others, otherwise rlogin will ask for the password anyway. Run the following command to setup the rights properly:

$ chmod 644 ~/.rhosts

5. If necessary, configure access to the root account: In order to be able to connect to the root local account, add the following entry to /etc/securetty.

# echo "rlogin" >> /etc/securetty

(Optional, only if file /root/.rhosts exists) In case SELinux is enabled on your system, make sure that the SELinux context is properly set up, by running the following command after having populated the /root/.rhosts file:

# restorecon -R /root/.rhosts

Failing to do so would result in the following message being displayed by the audit2why -a command upon connection attempt:

type=AVC msg=audit(1489590975.216:500): avc:  denied  { getattr } for  pid=4891 comm="in.rlogind" path="/root/.rhosts" dev="dm-0" ino=8588056 scontext=system_u:system_r:rlogind_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
    Was caused by:
        Missing type enforcement (TE) allow rule.
        You can use audit2allow to generate a loadable module to allow this access.

Configure rlogin on the client

1. Install the package

# yum -y install rsh

2. Configure the dynamic firewall - It is not necessary to configure the firewall.