Enhanced Security (C2) and inetd
Problem:
We have a service that is started by an authentification program. The
authentification program is started by inetd.
Everything seems to work if we are running within the machine but if we
try to access the service from another host (network) then we don't get
any response.
Can this be caused by Enhanced Security (C2) or some configuration of C2
or....
System Digital Unix 4.0D
More info:
--------------
Description of the process
*The client connects to the host at a specified port
*Inetd starts the authentification program (plogin).
*The plogin program verifies the userid/passwd and if it is correct it
logs on as the specified user and start the service (psv). The psv process
serves the client.
The plogin program can log on as the user in two ways:
1) plogin is executed as root with SUID. It executes something-similar:
su - <user> <start-psv-service>.
2) Plogin is executed as <user> and do rsh -l <user> <script> to start the
psv service.
Documentation from the vendor says that option 2 might be preferred if C2
is activated.
If we run the client on the server (the server that executes plogin and
psv), there is no problem connecting to either localhost + portnr or
<server-ipnr>+portnr. It works if method 1 or 2 is used.
If we instead of running the client program on the server tries to run it
on another machine (another subnet) it seems like inetd doesn't try to
start the authentification program (plogin). If we user tcpwrapper we get
no information at all (something like: plogin: connect from <host> is
expected). (Tcpwrapper is not the issue here, we did just use it for
verifying the login attempt).
If we try to run telnet <server> portnr from the external client to the
server, inetd starts the plogin program. The thing is: Why does inetd
start the plogin program when we are accessing by telnet and not by the
client program. (There is no problem with the client or the other server
software because it works if we use it on other hosts (digital unix not
using C2).
Can the problem be some sort of access-rule or similar? The machine is for
testing (Y2K), the clock has been switch from 2000 back to 1900 (several
times). I am not sure if there is any firewall, but telnet to the
specified port works and inetd should at least start the service.
I would appreciate any clue that can solve the problem
/Marcus
Received on Mon Apr 26 1999 - 11:52:47 NZST