Recently we got a case where customer was unable to run RSH command from Windows RSH client to an AIX RSH server. The error message was “Permission denied”.
For RSH client, there is not much of setting that needs to be done on the Windows side. SUA SDK was installed. Also checked the inetd.conf file and removed the comment entries for the following files:
shell stream tcp nowait NULL /usr/sbin/in.rshd in.rshd -a
exec stream tcp nowait NULL /usr/sbin/in.rexecd in.rexecd
login stream tcp nowait NULL /usr/sbin/in.rlogind in.rlogind -a
On the AIX side, RSH was configured using the .rhosts file. The setting is similar to what we do when we set RSH on Windows.
Later we found the issue was happening only with domain users and not with local users. So when we ran the command below logged in as domain user, we got permission denied.
- rsh –l <root> <IP address of RSH server> ls ==> ( Permission denied)
Then we checked the entry in the .rhost file on AIX and found that for the domain users; only the user name was mentioned. We modied the entry as below and restarted the inetd services. This resolved the issue.
Then customer had another question on the configuration needed for firewall. In the current scenario, we had turned off the firewall setting to allow RSH. We suggested the below settings.
- Control Panel ==> Windows Firewall ==> Advance setting ==> Right click on Inbound rules ==> new rules
- You will get the New Inbound rule Wizard
- Select Port ==> select the option Specific local ports==> mention the range “512-1023” ==> click next
- Select the option Allow the connection ==> click next
- Select all the option Domain, private, public ==> click next
- Givethe rule name and click Finish
- Once done, select the new rule and go to the properties
- click on the tab which says Programs and Services
- Select the option "This program" ( not ALL programs) and browse to the file called psxss.exe under System32 folder.
- By selecting the above option only programs that are being used by psxss.exe would be able to connect on the port.
- There are other options also to make it secure like putting in the computer name.