10 May 1999

Problem: How do I setup remote logins across the Internet through firewalls between two systems?

Solution: Using the figure below:  Users on System A.x.com need to logon to System C.y.com and users on System C.y.com need to logon to System A.x.com.   Both B.x.com and D.y.com are on the Internet, are running DNS, and have valid Internet IP addresses and settings.

 

Internet.gif (14420 bytes)

To configure the login access do the following:

  1. Ensure you have at least two valid non-root users on System A and System C.

  2. Perform the following, each on System B & System D:

    1. Create 2 users, dialin and dialout, have them each be a member of the guest group, and using the default shell.
      User dialin is used to access into Systems A & C from the Internet via Systems B & D respectively.
      User dialout is used to access out of Systems A & C via Systems B & D respectively.
    2. chown root:sys on the home directory of each user.  e.g. chown root:sys /u/dialout.
    3. chmod 755 on each home directory.
    4. Create a host equivalency by adding a .rhosts file containing the following in each home directory:
      System B dialin System B dialout System D dialin System D dialout
      y.com  dialout a.x.com  user1
      a.x.com  user2      		 x.com  dialout c.y.com  user3
      c.y.com  user4

      Where user1 & user2 are users on System A needing access to System C and
      user3 & user4 are users on System C needing access to System A.

    5. Within each home directory:  chmod 744 .*;  chown root:sys .*  (all files beginning with '.')
    6. Create guest ftp access for each the dialin and the dialout users.  This will allow ftp only within the home directory.

      Follow these steps for ftp creation:
      cd to each home directory of dialin and dialout on each System.

      # mkdir bin dev etc lib usr usr/lib etc/msgs
      # chown root:sys bin etc dev lib usr usr/lib etc/msgs
      # chmod 755 bin etc dev lib usr usr/lib etc/msgs
      # mkdir pub (dialin user only, pub is where incoming files from the Internet are stored for transferring to System A & C)
      # chown root:sys pub (dialin user only)
      # chmod 777 pub (dialin user only)
      # cd bin
      # cp /bin/ls .
      # chmod 111 ls
      # cd ../etc
      # cp /etc/passwd .
      # cp /etc/group .
      # chmod 444 passwd group
      # cd ../lib
      # cp /lib/libprot.so.1 .
      # chmod 555 lib*
      # chown bin lib*
      # cd ../usr/lib
      # cp /usr/lib/libc.so.1 .
      # cp /usr/lib/libsocket.so.1 .
      # chmod 555 lib*
      # chown bin lib*
      # cd ../..
      # find /dev/socksys -print |cpio -dumpv /usr/guests
      0 blocks
      # find /dev/zero -print | cpio -dumpv /usr/guests
      0 blocks
    7. (Optional) Add an entry in /etc/default/cleantmp.  Append to the 'TMPDIRS='   /u/dialin/pub (Clean out old files from the the pub directory)
    8. (Optional) Create a ftp Welcome Message for each user, dialin & dialout, in their home directory etc/msgs sub-directory named welcome.msg.
      For example in the dialin home directory /etc/msgs/welcome.msg file you could have a welcome message reminding ftp access users to put their files into the pub directory.
    9. Add the the following to the last line of .profile of each user on System B & System D:
    3. System B dialin .profile System B dialout .profile System D dialin .profile System D  dialout .profile
    telnet -E -r a.x.com rlogin -E -l dialin y.com telnet -E -r c.y.com rlogin -E -l dialin x.com

     

  3. Create script named loginC.sh for users on System A to get to System C:

    mapchan -n
    rlogin -E -l dialout B.x.com

  4. Create script named loginA.sh for users on System C to get to System A:

    mapchan -n
    rlogin -E -l dialout D.y.com

  5. To test login from A to C:   login to System A as a user that is defined in the .rhosts file on System B.
    Run the loginC.sh script.
    You should be prompted with a login from System C.
    If not, verify:
        - rlogin to System D is in the dialout .profile of System B.
        - B.x.com <space> dialout is in the .rhosts on System D.
        - telnet to System C is in the dialin .profile of System B.

  6. To test login from C to A:   login to System C as a user that is defined in the .rhosts file on System D.
    Run the loginA.sh script.
    You should be prompted with a login from System A.
    If not, verify:
        - rlogin to System B is in the dialout .profile of System D.
        - D.y.com <space> dialout is in the .rhosts on System B.
        - telnet to System A is in the dialin .profile of System B.

 

© Copyright   Computer Business Consultants, Inc. All rights reserved.

| Home |