Had to change it back! Wietse's rexec does not work with PAM (and therefore LDAP). This is easily checked via
ldd /usr/sbin/rexec.wietse | grep pam
So put back Solaris's version and ensured /etc/pam.conf was correct
# other auth sufficient /usr/lib/security/pam_unix.so.1 other auth required /usr/lib/security/pam_ldap.so.1 use_first_pass # # ...or... # # other auth required /usr/lib/security/pam_unix.so.1 # # ...but not... # # other auth required /usr/lib/security/pam_unix.so.1 # other auth required /usr/lib/security/pam_ldap.so.1 use_first_pass # # ...one gets... # # Login incorrect. # rexec: Error in rexec system call, # rexec: (The following system error may itself be in error) # rexec: No such file or directory # # This we do need... # other account required /usr/lib/security/pam_unix.so.1 other session required /usr/lib/security/pam_unix.so.1 other password required /usr/lib/security/pam_unix.so.1
My TCP Wrappers has a replacement for rexec which does log. The documentation says it logs to syslog facility daemon, priority info.
Downloaded, compiled, stuck in /usr/sbin:
ls -l /usr/sbin/*rexec*
lrwxrwxrwx 1 root other 13 Jun 13 09:59 \
/usr/sbin/in.rexecd -> rexecd.weitse
-r-xr-xr-x 1 bin bin 11744 Jun 13 09:58 /usr/sbin/rexecd.solaris_2.7
-r-xr-xr-x 1 bin bin 39740 Jun 13 10:28 /usr/sbin/rexecd.weitse
/etc/inetd.conf required no changes because of the link above.
Initially stuff was logged to /var/log/syslog --- but only connection info, no uid, command... Edited /etc/syslog.conf...
*.info /var/log/info
touched /var/log/info, kill -HUPed
/usr/sbin/syslogd and tested rexec. Logged ok, but info contains
too much. So re-edited /etc/syslog.conf...
daemon.info /var/log/info
and kill -HUPed again. No joy! A look at the rexec source code
and Makefile showed that contrary to the documentation logging went to
facility auth not daemon; hacked the Makefile/source code, re-compiled,
re-installed. Joy!
...is the Sunshield Basic Security Module.