in.rshd man page on SunOS

Man page or keyword search:  
man Server   20652 pages
apropos Keyword Search (all sections)
Output format
SunOS logo
[printable version]

in.rshd(1M)		System Administration Commands		   in.rshd(1M)

NAME
       in.rshd, rshd - remote shell server

SYNOPSIS
       in.rshd	[-k5eciU]  [-s	tos]  [-S  keytab]  [-M	 realm]	 [-L  env_var]
       host.port

DESCRIPTION
       in.rshd is the server for  the  rsh(1)  program.	 The  server  provides
       remote execution facilities with authentication based on Kerberos V5 or
       privileged port numbers.

       in.rshd is invoked by inetd(1M) each time a shell service is requested.

       When Kerberos V5 authentication is required (this can be set with  Ker‐
       beros-specific  options listed below), the following protocol is initi‐
       ated:

       1.  Check Kerberos V5 authentication.

       2.  Check authorization according to rules in krb5_auth_rules(5).

       3.  A null byte is returned on the initial socket and the command  line
	   is passed to the normal login shell of the user. (The PATH variable
	   is set to /usr/bin.) The shell  inherits  the  network  connections
	   established by in.rshd.

       In  order  for  Kerberos authentication to work, a host/<FQDN> Kerberos
       principal must exist for each Fully Qualified  Domain  Name  associated
       with the in.rshd server. Each of these host/<FQDN> principals must have
       a keytab entry in the /etc/krb5/krb5.keytab file on the in.rshd server.
       An example principal might be:

	      host/bigmachine.eng.example.com

       See kadmin(1M) or gkadmin(1M) for instructions on adding a principal to
       a krb5.keytab file. See System Administration Guide: Security  Services
       for a discussion of Kerberos authentication.

       If Kerberos V5 authentication is not enabled, then in.rshd executes the
       following protocol:

       1.  The server checks the client's source port. If the port is  not  in
	   the	range 512-1023, the server aborts the connection. The client's
	   host address (in hex) and port number (in decimal)  are  the	 argu‐
	   ments passed to in.rshd.

       2.  The	server reads characters from the socket up to a null ( ) byte.
	   The resultant string is interpreted as an ASCII number, base 10.

       3.  If the number received in step 2 is non-zero, it is interpreted  as
	   the	port number of a secondary stream to be used for the stderr. A
	   second connection is then created to	 the  specified	 port  on  the
	   client's machine. The source port of this second connection is also
	   in the range 512-1023.

       4.  A null-terminated user name of at most 16 characters	 is  retrieved
	   on  the  initial  socket. This user name is interpreted as the user
	   identity on the client's machine.

       5.  A null terminated user name of at most 16 characters	 is  retrieved
	   on  the  initial  socket.  This  user name is interpreted as a user
	   identity to use on the server's machine.

       6.  A null terminated command to be passed to a shell is	 retrieved  on
	   the	initial	 socket.  The  length of the command is limited by the
	   upper bound on the size of the system's argument list.

       7.  in.rshd then validates the user according to the  following	steps.
	   The	remote user name is looked up in the password file and a chdir
	   is performed to the user's home directory. If the lookup fails, the
	   connection  is terminated. If the chdir fails, it does a chdir to /
	   (root). If the user is not the superuser, (user ID 0), and  if  the
	   pam_rhosts_auth  PAM	 module	 is configured for authentication, the
	   file /etc/hosts.equiv is consulted for a list of  hosts  considered
	   "equivalent".  If  the  client's host name is present in this file,
	   the authentication is considered successful. See the SECURITY  sec‐
	   tion below for a discussion of PAM authentication.

	   If  the  lookup  fails, or the user is the superuser, then the file
	   .rhosts in the home directory of the remote user is checked for the
	   machine  name  and identity of the user on the client's machine. If
	   this lookup fails, the connection is terminated

       8.  A null byte is returned on the initial connection and  the  command
	   line	 is  passed  to	 the  normal login shell of the user. The PATH
	   variable is set to /usr/bin. The shell inherits the network connec‐
	   tions established by in.rshd.

OPTIONS
       The following options are supported:

       -5	       Same as -k, for backwards compatibility

       -c	       Requires Kerberos V5 clients to present a cryptographic
		       checksum of initial  connection	information  like  the
		       name of the user that the client is trying to access in
		       the initial authenticator. This checksum provides addi‐
		       tionl  security by preventing an attacker from changing
		       the initial  connection	information.  This  option  is
		       mutually exclusive with the -i option.

       -e	       Requires the client to encrypt the connection.

       -i	       Ignores	 authenticator	checksums  if  provided.  This
		       option ignores  authenticator  checksums	 presented  by
		       current	Kerberos clients to protect initial connection
		       information. Option -i is the opposite of option -c.

       -k	       Allows Kerberos V5  authentication  with	 the  .k5login
		       access  control file to be trusted. If this authentica‐
		       tion system is used by the client and the authorization
		       check is passed, then the user is allowed to log in.

       -L env_var      List of environment variables that need to be saved and
		       passed along.

       -M realm	       Uses the indicated Kerberos V5 realm. By	 default,  the
		       daemon  will  determine	its realm from the settings in
		       the krb5.conf(4) file.

       -s tos	       Sets the IP TOS option.

       -S keytab       Sets    the    KRB5     keytab	  file	   to	  use.
		       The/etc/krb5/krb5.keytab file is used by default.

       -U	       Refuses	connections  that  cannot  be mapped to a name
		       through the getnameinfo(3SOCKET) function.

USAGE
       rshd and in.rshd are IPv6-enabled. See ip6(7P). IPv6 is	not  currently
       supported with Kerberos V5 authentication.

       The  Kerberized rshd service runs on port 544 (kshell). The correspond‐
       ing FMRI entry is: :

       svc:/network/shell:kshell (rshd with kerberos (ipv4 only))

SECURITY
       in.rshd uses pam(3PAM) for authentication, account management, and ses‐
       sion   management.   The	  PAM  configuration  policy,  listed  through
       /etc/pam.conf, specifies the modules to be used for in.rshd. Here is  a
       partial	pam.conf  file	with  entries for the rsh command using rhosts
       authentication, UNIX account management, and session management module.

       rsh	 auth	   required   pam_rhosts_auth.so.1

       rsh	 account   required   pam_unix_roles.so.1
       rsh	 session   required   pam_unix_projects.so.1
       rsh	 session   required   pam_unix_account.so.1

       rsh	 session   required   pam_unix_session.so.1

       If there are no entries for the rsh service, then the entries  for  the
       "other"	service	 are  used. To maintain the authentication requirement
       for  in.rshd,  the  rsh	entry  must  always  be	 configured  with  the
       pam_rhosts_auth.so.1 module.

       in.rshd can authenticate using Kerberos V5 authentication or pam(3PAM).
       For Kerberized rsh service, the appropriate PAM service name is krsh.

FILES
       /etc/hosts.equiv

       $HOME/.k5login	       File containing Kerberos	 principals  that  are
			       allowed access.

       /etc/krb5/krb5.conf     Kerberos configuration file.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │SUNWrcmds			   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       rsh(1),	 svcs(1),  gkadmin(1M),	 inetadm(1M),  inetd(1M),  kadmin(1M),
       svcadm(1M), pam(3PAM),  getnameinfo(3SOCKET),  hosts(4),	 krb5.conf(4),
       pam.conf(4),   attributes(5), environ(5), krb5_auth_rules(5), pam_auth‐
       tok_check(5), pam_authtok_get(5), pam_authtok_store(5),	pam_dhkeys(5),
       pam_passwd_auth(5),	 pam_rhosts_auth(5),	  pam_unix_account(5),
       pam_unix_auth(5), pam_unix_session(5), smf(5), ip6(7P)

       System Administration Guide: Security Services

DIAGNOSTICS
       The following diagnostic messages are returned on the connection	 asso‐
       ciated  with stderr, after which any network connections are closed. An
       error is indicated by a leading byte with a value of 1 in step 8	 above
       (0  is returned above upon successful completion of all the steps prior
       to the command execution).

       locuser too long

	   The name of the user on the client's	 machine  is  longer  than  16
	   characters.

       remuser too long

	   The	name of the user on the remote machine is longer than 16 char‐
	   acters.

       command too long

	   The command line passed exceeds the size of the argument  list  (as
	   configured into the system).

       Hostname for your address unknown.

	   No  entry  in  the  host  name  database  existed  for the client's
	   machine.

       Login incorrect.

	   No password file entry for the user name existed.

       Permission denied.

	   The authentication procedure described above failed.

       Can't make pipe.

	   The pipe needed for the stderr was not created.

       Try again.

	   A fork by the server failed.

NOTES
       The authentication procedure used here assumes the  integrity  of  each
       client  machine	and the connecting medium. This is insecure, but it is
       useful in an "open" environment.

       A facility to allow all	data  exchanges	 to  be	 encrypted  should  be
       present.

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided	  by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).

       The in.rshd service is managed  by  the	service	 management  facility,
       smf(5), under the service identifier:

       svc:/network/shell:default

       Administrative actions on this service, such as enabling, disabling, or
       requesting restart, can be performed using  svcadm(1M).	Responsibility
       for  initiating	and restarting this service is delegated to inetd(1M).
       Use inetadm(1M) to make configuration changes and to view configuration
       information for this service. The service's status can be queried using
       the svcs(1) command.

SunOS 5.10			  10 Nov 2005			   in.rshd(1M)
[top]

List of man pages available for SunOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net