tacmd createnode fails when using RSH protocol

Technote (troubleshooting)


Problem(Abstract)

Unable to connect to host using RSH protocol with tacmd createnode command

Symptom

Get an error message as follows when executing tacmd createnode command:
KDY2034E: Unable to connect to host <Host_ipaddress> using the provided
credentials on the following protocol(s): [RSH]. An
attempt was made to connect to the target host using the provided
credentials, but that attempt filed.


Cause

The rsh protocol is not secure for network use, because it sends unencrypted information over the network, among other reasons.
Some implementations also authenticate by sending unencrypted passwords over the network. rsh has largely been replaced with the secure shell (ssh) program, even on local networks.

The protocol is also a cleartext protocol, but this is not its main source of insecurity. As with telnet and ftp, it gets worse! Each of these uses "rhosts" authentication, which is fundamentally flawed. This
authentication scheme uses unsafely implemented host-host trust. A user uses an "rhost" file to say that root@sysadmin_box can have root access on server. Host server checks the packets' source address to authenticate. The problem is that this method makes the critical, and wrong, assumption that an attacker cannot mangle the packets, either on the source machine or in transit. Unfortunately, he can, using simple automated tools. These tools "spoof" the source IP, allowing him illegitimate access to the target host. It's well understood that rhosts authentication is weak, because it can be fooled by any program which can craft its own packets, but also because it creates a web of trust.
If I can trick machine A into thinking I'm on a host it trusts, then I can log into A as root. Now, if machine B trusts machine A in the same way, I've got easy access to B.

Resolving the problem

Therefore, if a customer wishes to use RSH, rather than SSH, to use the createnode command, then they should not specify a password parameter in the createnode command, but create a .rhosts file
on the target system which specifies from which hosts it can accept connections. The createnode command is working as designed.

Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Components
ITM Distributed Installer V6

Software version:

All Versions

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1647124

Modified date:

2013-09-03

Translate my page

Machine Translation

Content navigation