15. Managing R Commands

Introduction

This chapter describes how to:

  Manage and troubleshoot the Berkeley R Commands Services, and set up host equivalence files on the server.

  Manage the R Shell (RSH) server, which handles Remote Copy Program (RCP) requests.

  Manage the Remote Magnetic Tape (RMT) Server.

R Services

Configure the Berkeley R Services as part of TCPware configuration (CNFNET). The following are the specific steps in the process:

1   Specify whether you want to enable the login, shell, and exec services. Specify YES or NO in each case.

2   For login service, also specify whether you want NORMAL or SECURE login authorization (the default is SECURE), as described in Table 16-2.

3   If desired, create a service access list.

4   Set up a host equivalence file.

Service Access Lists

You may want to set up a service access list to control which hosts, group of hosts, or network can access the service.

Use the ADD ACCESS_LIST command in TCPware's Network Control Utility (NETCU) that lets you specify a list number and PERMIT or DENY condition for a specific network internet address (and optional network mask). Here is the command format:

$ NETCU ADD ACCESS_LIST list condition ia mask

 

For details on the ADD ACCESS_LIST command, see the NETCU Command Reference.

Host Equivalence Files

Host equivalence files are security access files on the server host used to authorize access to services by other hosts or users. The files list hostnames (and, optionally, usernames) and indicate which remote hosts and users have equivalent access as local users.

(Host equivalence files authorize access to login and shell services only, since the exec service relies on direct username and password authorization.)

Two types of equivalence files are available: HOSTS.EQUIV and .RHOSTS. These files serve slightly different needs and are in different locations on the OpenVMS host, although they use the same data format:

  The HOSTS.EQUIV file defines which remote hosts or users can have equivalent access to the server host, and is analogous to the /etc/hosts.equiv file in UNIX. Place the HOSTS.EQUIV file in either the TCPWARE_COMMON:[TCPWARE] or TCPWARE_SPECIFIC:[TCPWARE] directory, depending on your configuration.

  The .RHOSTS file lets remote users access local accounts beyond what the HOSTS.EQUIV file specifies, and is analogous to the UNIX ~/.rhosts file. Place the .RHOSTS file in the local accounts login directory. Here are some things to keep in mind:

     A remote user specified in a .RHOSTS file can access the local account only if the account owns the file.

     Access to the SYSTEM (root) account, or one that has a system UIC group, requires a .RHOSTS file, and does not work in the HOSTS.EQUIV file.

     To disable user-specified SYS$LOGIN:.RHOSTS files (and use the HOSTS.EQUIV file only), set the TCPWARE_RCMD_FLAGS system logical to 1 (it is 0 by default).

Both the HOSTS.EQUIV and .RHOSTS files contain line entries for hostnames and optional usernames, in the following format, where host is the name of the remote host allowed access and the optional username is the name of a specific user on that host:

host [username]

Here are some sample lines in a host equivalence file, with the following considerations:

ALPHA
BETA smith
GAMMA Jones
DELTA +
+ JackSprat

  If you specify only host on a line (omitting username), users having accounts with the same names on both hosts can access the local system.

  If you specify both host and username on a line, the specified user on that host can access the local system or account. The username must match case exactly with the incoming username (JackSprat does not match with jacksprat).

  You can use the plus symbol (+) as a wildcard for host and username, but do not use an asterisk (*) since UNIX does not recognize it as a wildcard. A wildcarded host entry grants access to any host, provided username checks pass. A wilcarded username entry grants access to any user, provided the hostname passes.

  The HOSTS.EQUIV and .RHOSTS files may handle some entries differently, as described in Table 16-1.

Table 16-1     Usernames and Wildcards in HOSTS.EQUIV and .RHOSTS Files

Sample entry...

In the HOSTS.EQUIV file...

In the .RHOSTS file (with account owner Betty)...

ALPHA

Accepts anyone from ALPHA for access to a local account with the same name as the remote username

Accepts only username Betty from ALPHA

ALPHA Betty

Accepts only username Betty from ALPHA for any account other than SYSTEM

Accepts only username Betty from ALPHA

ALPHA David

Accepts only username David from ALPHA for any account other than SYSTEM

Accepts only username David from ALPHA who requests username Betty (such as with rlogin
/user="Betty"
)

ALPHA +

Accepts anyone from ALPHA for any requested account

Accepts anyone from ALPHA who requests username Betty

+ Betty

Accepts only username Betty from any host for any account other than SYSTEM

Accepts only username Betty from any host

+ David

Accepts only username David from any host for any account other than SYSTEM

Accepts only username David from any host who requests username Betty

+ +

Accepts anyone from any host for any requested account other than SYSTEM

Accepts anyone from any host who requests username Betty

CAUTION!     Use username values or wildcards in the HOSTS.EQUIV file with security in mind. Because HOSTS.EQUIV files apply system-wide, any remote user (or group of users) can masquerade as a local user. Especially avoid using double pluses (+ +) in either file.

Host equivalence files grant access authorization differently depending on how you configure each R Service during the regular TCPware configuration:

  For login service, CNFNET offers NORMAL and SECURE options for login authorization (see Table 16-2).

Table 16-2     login Service Access Matrix

When...

With NORMAL login...

With SECURE login...

Hostname and username appear in the .RHOSTS or HOSTS.EQUIV file

User is logged in

User is prompted for password

Hostname or username does not appear in the .RHOSTS or HOSTS.EQUIV file

User is prompted for username and password (standard login sequence)

Access is denied

  The shell service checks the host equivalence files for command execution. If the check fails, shell denies access.

  The exec service performs a standard username and password check before allowing command execution on the host.

The exec service also tracks break-in attempts using the OpenVMS Intrusion database. If a remote user enters an invalid login, TCPware creates an intrusion record based on the remote source's IP address. If TCPware reaches the threshold number of invalid login attempts, no one at the remote IP address can use the exec service. The Intrusion database shows who the offending addresses are; you can re-enable login attempts by deleting the intrusion records.


See the SHOW INTRUSION and DELETE/INTRUSION_RECORD commands in HP's VMS DCL Dictionary for details.

Customizing the Shell and Exec Services

Incoming shell and exec services invoke the TCPWARE:TCPWARE_RSERVICE.COM procedure to perform the requested operation. You can customize this command procedure to map an incoming command to an OpenVMS command. (Just make sure that you do not destroy mapping for TCPware operations such as RCP and RMT.)

The REXEC and the RSHELL servers have the functionality to set up a DECwindows display to the client’s IP address if the TCP/IP transport is loaded. To enable this functionality, define the logical as:

$ DEFINE/SYSTEM/EXEC TCPWARE_RCMD_ENABLE_DISPLAY “TRUE“

R Services Log File

You can set up a log file for incoming R Services such as RCP and RSH by defining the TCPWARE_RCMD_OUTPUT logical to log messages in the RCMD.LOG file, as follows:

$ DEFINE/SYSTEM/EXEC TCPWARE_RCMD_OUTPUT RCMD.LOG

Troubleshooting R Services

Access error messages help by entering HELP TCPWARE MESSAGES [identifier].

RCP Server

Use the SHOW SERVICES command in NETCU to make sure that the R shell daemon (rshd) is operating before client users can use the RCP command. On TCPware hosts, the service should show up as shell under the "Port" column. If it does not, use CNFNET to enable the R Services.

You also need to use the rexec server if client users need to specify the RCP command's /USER,    /PASSWORD, and /TRUNCATE qualifiers. On TCPware hosts, the service shows up as exec under the "Port" column.

CAUTION!     The /PASSWORD qualifier requires entry of a plain text password, which could cause a security problem. You can avoid having users specify the /USER or /PASSWORD qualifier by checking that remote hosts include your hostname entry in their host equivalence files (such as the /etc/hosts.equiv file in UNIX systems, or the TCPWARE:HOSTS.EQUIV or SYS$LOGIN:.RHOSTS file locally).

Make sure that your users' login files (as well as the ~/.login files on UNIX system clients) do not contain commands that generate output.

You can log RCP activity by defining the TCPWARE_RCMD_OUTPUT logical. (See R Services Log File

.)

Troubleshooting RCP 

Here are some steps to follow to ensure that the RCP command given from a UNIX system works correctly with TCPware's R Services. First make sure that the R Services were configured by running @TCPWARE:CNFNET RCMD to make sure that RCP is at the very least enabled and the image installed. Then follow these steps:

On the TCPware system:

1   Set the default to the login directory of the user account to which you will be copying files.

2   Edit the SYS$LOGIN:.RHOSTS file and add the UNIX hostname and username.

3   Edit the TCPWARE:HOSTS. file and add the IP address and hostname of the UNIX system from which you will be copying files.

4   Check the user account's UAF record (using SET DEFAULT SYS$SYSTEM followed by MCR AUTHORIZE).

5   Check that the owner of the login directory and .RHOSTS file is the same as the UAF record's IDENTIFIER/UIC (using DIRECTORY/OWNER). If different, you must set the ownership of the login directory and .RHOSTS file to match the IDENTIFIER/UIC.

On the UNIX system:

1   Issue the rcp command. If you get a Login information not recognized at remote node message, run NETCU DEBUG /TCP /DATA=1500 /DIA=unix-host-ip-address, preferably with the additional /OUTPUT=RCPDEBUG.LOG.

2   If there is a debug trace, look for the unix.username.vax-username.rcp filename.ext. If you notice that the case of the username is different from how it appears in the .RHOSTS file, change the case in the .RHOSTS file to match.

A permission denied message usually indicates a protection error on the UNIX side.

RMT Server

Here are some preliminary tasks to make sure the remote client can access the tape or CD-ROM drive:

1   Make sure the shell and exec services and the RMTSETUP image are installed during TCPware configuration at the Do you want to activate ... service: and
Do you want to INSTALL the ... image: prompts, or make sure that at least RCMD_SERVICES == ":SHELL:EXEC" and RCMD_CLIENTS == ":RMTSETUP" appear in your TCPWARE:TCPWARE_CONFIGURE.COM file.

2   Make sure the magnetic tape or CD-ROM, recognizable to the system, is loaded in the device. With a tape device, the client essentially mounts and allocates the tape; you do not need to perform this task. With a CD-ROM device, you need to make the device accessible by issuing a MOUNT command.

3   Make sure the rsh command works from the UNIX system user's root directory to the OpenVMS user SYSTEM's directory.

4   For SYSTEM accounts, RMT ignores the TCPWARE:HOSTS.EQUIV file and uses an explicit entry in the SYS$LOGIN:.RHOSTS file to grant access.

5   Make sure nothing is output from SYS$SYLOGIN procedure or from SYS$LOGIN:LOGIN.COM when issuing the rsh command to SYSTEM.

6   Make sure you suppress output by including the following commands in the SYS$SYLOGIN and LOGIN.COM procedures:

$ RMT_VERIFY = 'F$VERIFY(0)

$ IF (F$MODE() .NES. "OTHER") THEN RMT_VERIFY = F$VERIFY(RMT_VERIFY)

RMT Client Utilities

On the remote host, a user can employ the rdump utility to dump files to OpenVMS tapes, or the rrestore utility to restore files from OpenVMS tapes. The functionality of rdump and rrestore depends entirely on the type of UNIX system you use and not on TCPware's RMT service. For example, not all UNIX systems let the user restore files selectively using rrestore.

When remote users use these remote dump and restore commands, they must specify either the OpenVMS device name or a filename. If they specify a device name, it must be a valid OpenVMS type of magnetic tape device name.

See the SunOS Reference Manual, the Maintenance chapter, the sections on dump,rdump, restore, and rrestore, or your particular client system's documentation for details. Users should be careful about the order in which they specify options on the command line.

Here is an example of an rdump command:

>/etc/rdump 0f lilac:mua0:/nomount /usr

The remote user requests to remotely dump the /usr file system onto device mua0: on system lilac, and specifies the nomount qualifier and a tape density of 1600 bits per inch.

TCPware's RMT Server lets you specify the qualifiers with magnetic tape device names indicated in Table 16-3. The qualifiers are available with the RMTSETUP command.

Table 16-3     RMT Magtape Qualifiers 

Qualifier...

Defines...

/ASSIST                          /NOASSIST

Whether to use operator assistance to mount the volume. /ASSIST is the default.

/BLOCKSIZE=n

Default block size for magnetic tape volumes. The default is 65534 bytes.

/COMMENT="string"

Additional information included with the operator request when the mount operation requires operator assistance (/ASSIST). The comment appears in the OPCOM message for the operator.

/DENSITY=n

Density (in bits per inch) at which to write a foreign or unlabeled magnetic tape. The default is the current density.

/MOUNT                        /NOMOUNT

Whether to use the OpenVMS MOUNT service to mount the tape.        /NOMOUNT gains access to the tape directly without mounting it. Use this for UNIX utilities that expect the tape drive to hold its position (not rewind) if the utility closes it. The default is /MOUNT.

With /NOMOUNT, the qualifiers /ASSIST, /BLOCKSIZE,                     /COMMENT, and /DENSITY are not allowed. With /NOMOUNT, the defaults are /NOUNLOAD, /NOREWIND, /STREAM, and
/WRITE.

/REWIND                       /NOREWIND

Whether to rewind the drive when it is closed. The default is                   /REWIND.

/STREAM                       /NOSTREAM

Whether to read the tape in record (/NOSTREAM) or byte-stream       (/STREAM) mode. The default is /STREAM.

/UNLOAD                      /NOUNLOAD

Whether to unload the drive when it is closed. The default is                    /UNLOAD.

/WRITE                           /NOWRITE

Whether you can write to the volume. The default is /WRITE.

RMT CD-ROM Qualifiers indicates the supported option for remote access to the CD-ROM drive.

Table 16-4     RMT CD-ROM Qualifiers

Qualifier...

Defines...

/CD

Indicates that the remote device is a CD-ROM device.

Client Examples

The following steps perform rdump and rrestore from a Sun UNIX client system. They dump two Sun directories to the tape by issuing separate rdump commands. They then restore files selectively from the tape to the Sun client system:

1   Put the directories on the tape by issuing two rdump commands:

SUN>/etc/rdump 0f homer:mkb600/nomount /
SUN> /etc/rdump 0f homer:mkb600/nomount/rewind /usr

Include the /nomount qualifier with the first rdump to keep OpenVMS from rewinding the tape (even though rdump on the Sun reports to the contrary). The additional
/rewind qualifier for the second rdump actually rewinds the tape.

2   Restore the files selectively from the tape using rrestore. In this example, rrestore extracts .rlogin from the second (2) dump file on the tape:

SUN>/etc/rrestore fsx homer:mkb600/nomount/rewind 2 .rlogin

In this example, rrestore invokes the interactive utility to let the user specify particular files that were put on the tape in the first (1) dump file. The add command then adds the files to the extraction list and the extract command restores them:

SUN>/etc/rrestore fis homer:mkb600/unload 1
restore>add /users
restore>extract

The rrestore command may display messages such as You have not read any volumes yet and ask you to specify the next volume. Although the messages may appear, rrestore should work properly.