Tuesday, 14 June 2016

rsh tip

I call my Rsh tip "double rsh".

Rsh is nice. Rsh is "remote shell", it lets you run programs on a remote computer.

First, you need to install it on the target machine, if it isn't already there. I'll use a machine called duffy.

yum install rsh rsh-server

It's run by the xinetd super-server, so in /etc/xinetd.d you need to create a file called rsh

service shell
socket_type            = stream
wait                   = no
user                   = root
log_on_success        += USERID
log_on_failure        += USERID
server                 = /usr/sbin/in.rshd
disable                = no

Then restart the xinetd server with systemctl restart xinetd.service

Next, you need to tell it which computers are allowed to execute commands remotely. You need to be careful here; you don't want Hacky McHackface running things on your computer. So in /etc/hosts.equiv, you put your list of trusted computers. Make sure that they are trusted!

Now you're ready to test it. Try

rsh duffy uptime

That should give you the uptime info of duffy. If it didn't work, something's wrong. And it might be the firewall. Because rsh works in a mysterious way, its wonders to perform.

rsh contacts the remote server on port 514, but then the server tries to open a connection back to the client on a port somewhere in the range 512-1023. If your firewall blocks incoming connections (which, of course, it should), it isn't going to work, and you'll need to use ssh instead because ssh does everything, outbound and inbound, on port 22. Once upon a time, in a land far away, we didn't need firewalls. But that's not been true for 25 years now. But that's why rsh (and ftp in "active" mode) thinks it can make a connection back inbound to a random port.

ssh username@duffy 'uptime'

That will work, but it's a lot slower than rsh.

I have a firewall protecting my machines in Cheltenham, and another firewall protecting them here. Because I trust my machines at both sites, my firewall is very open between those two sites (and very closed to anyone else, allowing only those services that I want to allow).

I also have three DSL lines, and on each of them there's a router, and that router includes a firewall. There is a way to allow particular services in to the DSL, but I don't see a way to open up a whole range. So I couldn't use rsh over the DSL lines, and I was using ssh instead. But then I had an idea.

I call it "double rsh".

Here's what I did:

rsh xantl rsh duffy uptime.

So the machine behind the DSL does a rsh to xantl, which is on the main 2 mbit line, and xantl does the rsh to duffy. And it works!

Here's what I use it for.

I need to do backups of the machines in Cheltenham, but my puny 2 mbit line isn't enough, that's why I also run three DSLs, which are cheap, slightly unreliable, and about 3-4 times as fast as the 2 mbit line. The backup is done by all three machines, and I have a thing in Cheltenham that lists what needs to be backed up.

Each of the DSL-attached servers checks that list to see what needs to be done, backs up the first on the list after first ticking off that it's being done. So I use the double rsh for checking the list and ticking off, and ssh for the actual backup, because checking the list doesn't eat into the 2 mbit bandwidth, but doing the actual backup does, so that has to be done over the DSL line, and for that I use rsync, another delightful utility.

No comments:

Post a Comment