in.rshd man page on OpenIndiana

Man page or keyword search:  
man Server   20441 pages
apropos Keyword Search (all sections)
Output format
OpenIndiana logo
[printable version]

in.rshd(1M)		System Administration Commands		   in.rshd(1M)

NAME
       in.rshd, rshd - remote shell server

SYNOPSIS
       in.rshd [-k5eciU] [-s tos] [-S keytab] [-M realm]
	    [-L env_var] host.port

DESCRIPTION
       in.rshd	is  the	 server	 for  the  rsh(1) program. The server provides
       remote execution facilities with authentication based on Kerberos V5 or
       privileged port numbers.

       in.rshd is invoked by inetd(1M) each time a shell service is requested.

       When  Kerberos V5 authentication is required (this can be set with Ker‐
       beros-specific options listed below), the following protocol is	initi‐
       ated:

	   1.	  Check Kerberos V5 authentication.

	   2.	  Check	    authorization     according	    to	   rules    in
		  krb5_auth_rules(5).

	   3.	  A null byte is returned on the initial socket and  the  com‐
		  mand	line  is passed to the normal login shell of the user.
		  (The PATH variable is set to /usr/bin.) The  shell  inherits
		  the network connections established by in.rshd.

       In  order  for  Kerberos authentication to work, a host/<FQDN> Kerberos
       principal must exist for each Fully Qualified  Domain  Name  associated
       with the in.rshd server. Each of these host/<FQDN> principals must have
       a keytab entry in the /etc/krb5/krb5.keytab file on the in.rshd server.
       An example principal might be:

       host/bigmachine.eng.example.com

       See kadmin(1M) or gkadmin(1M) for instructions on adding a principal to
       a krb5.keytab file. See	for a discussion of Kerberos authentication.

       If Kerberos V5 authentication is not enabled, then in.rshd executes the
       following protocol:

	   1.	  The  server  checks the client's source port. If the port is
		  not in the range 512-1023, the server aborts the connection.
		  The client's host address (in hex) and port number (in deci‐
		  mal) are the arguments passed to in.rshd.

	   2.	  The server reads characters from the socket up to a null ( )
		  byte.	 The  resultant string is interpreted as an ASCII num‐
		  ber, base 10.

	   3.	  If the number received in step 2 is non-zero, it  is	inter‐
		  preted  as  the port number of a secondary stream to be used
		  for the stderr. A second connection is then created  to  the
		  specified  port  on the client's machine. The source port of
		  this second connection is also in the range 512-1023.

	   4.	  A null-terminated user name of  at  most  16	characters  is
		  retrieved  on	 the  initial socket. This user name is inter‐
		  preted as the user identity on the client's machine.

	   5.	  A null terminated user name of  at  most  16	characters  is
		  retrieved  on	 the  initial socket. This user name is inter‐
		  preted as a user identity to use on the server's machine.

	   6.	  A null terminated  command  to  be  passed  to  a  shell  is
		  retrieved  on	 the initial socket. The length of the command
		  is limited by the upper bound on the size  of	 the  system's
		  argument list.

	   7.	  in.rshd  then	 validates the user according to the following
		  steps. The remote user name is looked	 up  in	 the  password
		  file	and a chdir is performed to the user's home directory.
		  If the lookup fails, the connection is  terminated.  If  the
		  chdir fails, it does a chdir to / (root). If the user is not
		  the superuser, (user ID 0), and if the  pam_rhosts_auth  PAM
		  module   is	configured   for   authentication,   the  file
		  /etc/hosts.equiv is consulted for a list of hosts considered
		  "equivalent".	 If  the client's host name is present in this
		  file, the authentication is considered successful.  See  the
		  SECURITY  section  below for a discussion of PAM authentica‐
		  tion.

		  If the lookup fails, or the user is the superuser, then  the
		  file	.rhosts	 in  the  home directory of the remote user is
		  checked for the machine name and identity of the user on the
		  client's  machine.  If  this lookup fails, the connection is
		  terminated

	   8.	  A null byte is returned on the initial  connection  and  the
		  command  line	 is  passed  to	 the normal login shell of the
		  user. The PATH variable is set to /usr/bin. The shell inher‐
		  its the network connections established by in.rshd.

OPTIONS
       The following options are supported:

       -5	     Same as -k, for backwards compatibility

       -c	     Requires  Kerberos	 V5 clients to present a cryptographic
		     checksum of initial connection information like the  name
		     of	 the  user  that the client is trying to access in the
		     initial authenticator. This checksum  provides  additionl
		     security by preventing an attacker from changing the ini‐
		     tial connection  information.  This  option  is  mutually
		     exclusive with the -i option.

       -e	     Requires the client to encrypt the connection.

       -i	     Ignores  authenticator checksums if provided. This option
		     ignores authenticator checksums presented by current Ker‐
		     beros  clients to protect initial connection information.
		     Option -i is the opposite of option -c.

       -k	     Allows  Kerberos  V5  authentication  with	 the  .k5login
		     access control file to be trusted. If this authentication
		     system is used by the client and the authorization	 check
		     is passed, then the user is allowed to log in.

       -L env_var    List  of  environment variables that need to be saved and
		     passed along.

       -M realm	     Uses the indicated Kerberos V5  realm.  By	 default,  the
		     daemon  will determine its realm from the settings in the
		     krb5.conf(4) file.

       -s tos	     Sets the IP TOS option.

       -S keytab     Sets     the     KRB5     keytab	  file	   to	  use.
		     The/etc/krb5/krb5.keytab file is used by default.

       -U	     Refuses  connections  that	 cannot	 be  mapped  to a name
		     through the getnameinfo(3SOCKET) function.

USAGE
       rshd and in.rshd are IPv6-enabled. See ip6(7P). IPv6 is	not  currently
       supported with Kerberos V5 authentication.

       The  Kerberized rshd service runs on port 544 (kshell). The correspond‐
       ing FMRI entry is: :

	 svc:/network/shell:kshell (rshd with kerberos (ipv4 only))

SECURITY
       in.rshd uses pam(3PAM) for authentication, account management, and ses‐
       sion   management.   The	  PAM  configuration  policy,  listed  through
       /etc/pam.conf, specifies the modules to be used for in.rshd. Here is  a
       partial	pam.conf  file	with  entries for the rsh command using rhosts
       authentication, UNIX account management, and session management module.

       rsh	  auth	     required	pam_rhosts_auth.so.1

       rsh	  account    required	pam_unix_roles.so.1
       rsh	  session    required	pam_unix_projects.so.1
       rsh	  session    required	pam_unix_account.so.1

       rsh	  session    required	pam_unix_session.so.1

       If there are no entries for the rsh service, then the entries  for  the
       "other"	service	 are  used. To maintain the authentication requirement
       for  in.rshd,  the  rsh	entry  must  always  be	 configured  with  the
       pam_rhosts_auth.so.1 module.

       in.rshd can authenticate using Kerberos V5 authentication or pam(3PAM).
       For Kerberized rsh service, the appropriate PAM service name is krsh.

FILES
       /etc/hosts.equiv

       $HOME/.k5login	      File containing  Kerberos	 principals  that  are
			      allowed access.

       /etc/krb5/krb5.conf    Kerberos configuration file.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬────────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	      ATTRIBUTE VALUE	      │
       ├─────────────────────────────┼────────────────────────────────┤
       │Availability		     │service/network/network-servers │
       └─────────────────────────────┴────────────────────────────────┘

SEE ALSO
       rsh(1),	 svcs(1),  gkadmin(1M),	 inetadm(1M),  inetd(1M),  kadmin(1M),
       svcadm(1M), pam(3PAM),  getnameinfo(3SOCKET),  hosts(4),	 krb5.conf(4),
       pam.conf(4),   attributes(5), environ(5), krb5_auth_rules(5), pam_auth‐
       tok_check(5), pam_authtok_get(5), pam_authtok_store(5),	pam_dhkeys(5),
       pam_passwd_auth(5),	 pam_rhosts_auth(5),	  pam_unix_account(5),
       pam_unix_auth(5), pam_unix_session(5), smf(5), ip6(7P)

DIAGNOSTICS
       The following diagnostic messages are returned on the connection	 asso‐
       ciated  with stderr, after which any network connections are closed. An
       error is indicated by a leading byte with a value of 1 in step 8	 above
       (0  is returned above upon successful completion of all the steps prior
       to the command execution).

       locuser too long

	   The name of the user on the client's	 machine  is  longer  than  16
	   characters.

       remuser too long

	   The	name of the user on the remote machine is longer than 16 char‐
	   acters.

       command too long

	   The command line passed exceeds the size of the argument  list  (as
	   configured into the system).

       Hostname for your address unknown.

	   No  entry  in  the  host  name  database  existed  for the client's
	   machine.

       Login incorrect.

	   No password file entry for the user name existed.

       Permission denied.

	   The authentication procedure described above failed.

       Can't make pipe.

	   The pipe needed for the stderr was not created.

       Try again.

	   A fork by the server failed.

NOTES
       The authentication procedure used here assumes the  integrity  of  each
       client  machine	and the connecting medium. This is insecure, but it is
       useful in an "open" environment.

       A facility to allow all	data  exchanges	 to  be	 encrypted  should  be
       present.

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided	  by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).

       The in.rshd service is managed  by  the	service	 management  facility,
       smf(5), under the service identifier:

	 svc:/network/shell:default

       Administrative actions on this service, such as enabling, disabling, or
       requesting restart, can be performed using  svcadm(1M).	Responsibility
       for  initiating	and restarting this service is delegated to inetd(1M).
       Use inetadm(1M) to make configuration changes and to view configuration
       information for this service. The service's status can be queried using
       the svcs(1) command.

SunOS 5.11			  10 Nov 2005			   in.rshd(1M)
[top]

List of man pages available for OpenIndiana

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net