*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->HP-UX 11i man pages -> remshd (1m)              
Title
Content
Arch
Section
 

Contents


 remshd(1M)                                                       remshd(1M)




 NAME    [Toc]    [Back]
      remshd - remote shell server

 SYNOPSIS    [Toc]    [Back]
      /usr/lbin/remshd [-lmns]

    In Kerberos V5 Network Authentication Environments    [Toc]    [Back]
      /usr/lbin/remshd [-clmnKkRr]

 DESCRIPTION    [Toc]    [Back]
      The remshd command is the server for the rcp, rdist and remsh
      commands, rcmd() and the rcmd_af() function in case of IPv6 systems
      (see rcp(1), rdist(1), remsh(1), rcmd(3N)), and rcmd_af(3N).

      remshd allows two kinds of authentication methods:

           1.   Authentication based on privileged port numbers where the
                client's source port must be in the range 512 through 1023.
                In this case remshd assumes it is operating in normal or
                non-secure environment.

           2.   Authentication based on Kerberos V5.  In this case remshd
                assumes that it is operating in a Kerberos V5 Network
                Authentication, i.e., secure environment.

      The inetd daemon invokes remshd if a service request is received at
      ports indicated by shell or kshell services specified in /etc/services
      (see inetd(1M) and services(4)).  Service requests arriving at the
      kshell port assume a secure environment and expect Kerberos
      authentication to take place.

      To start remshd from the inetd daemon in a non-secure environment, the
      configuration file /etc/inetd.conf must contain an entry as follows:

           shell  stream  tcp  nowait  root  /usr/lbin/remshd  remshd

      In a secure environment, /etc/inetd.conf must contain an entry:

           kshell  stream  tcp  nowait  root  /usr/lbin/remshd  remshd -K

      The above configuration line will start remshd in IPv4 mode.  To run
      remshd in IPv6 mode, the following line must be present in the
      /etc/inetd.conf file:

           shell  stream  tcp6 nowait  root  /usr/lbin/remshd  remshd

           Note: For IPv6 applications, the protocol tcp has to be changed
           to tcp6.  See the inetd.conf(4) manpage for more information.

      To prevent non-secure access, the entry for shell should be commented
      out in /etc/inetd.conf.  Any non-Kerberos access will be denied since



 Hewlett-Packard Company            - 1 -      HP-UX 11i Version 2: Sep 2004






 remshd(1M)                                                       remshd(1M)




      the entry for the port indicated by shell has now been removed or
      commented out.  In such a situation, a generic error message,

           rcmd: connect hostname: Connection refused

      is displayed.  See DIAGNOSTICS for more details.

           Note: By commenting out the entry for the port, access by other
           clients such as rdist will also be prevented.

    Options    [Toc]    [Back]
      remshd recognizes the following options.

           -l   This option can be used to forbid authentication based on
                the user's .rhosts file unless the user is a superuser.

           -n   This option can be used to disable transport-level keepalive
 messages.  Otherwise, the messages are enabled.  The
                keep-alive messages allow sessions to be timed out if the
                client crashes or becomes unreachable.

           -m   With this option enabled, remshd returns immediately after
                its child process gets killed; it does not wait for all its
                sub child processes to die.  This in turn makes remsh not to
                wait even when the sub child processes are running remotely.
                As a result, remsh will not appear hung. It is recommended
                that users do not use -m option, if they want remshd to wait
                until the completion of all the sub child processes.
                Otherwise, the user may not get an expected result. This
                option is applicable only to remsh with a secondary socket
                connection.

           -s   This option is used in multi-homed NIS systems.  It disables
                remshd from doing a reverse lookup of the client's IP
                address; see gethostbyname(3N).  It can be used to
                circumvent an NIS limitation with multi-homed hosts.

      In a secure environment, remshd will recognize the following
      additional options:

           -c   Ignore checksum verification.  This option is used to
                achieve interoperability between clients and servers using
                different checksum calculation methods.  For example, the
                checksum calculation in a application developed with
                Kerberos V5 Beta 4 API is different from the calculation in
                a Kerberos V5-1.0 application.

           -K   Authorization based on Kerberos V5 must succeed or access
                will be rejected (see sis(5) for details on authorization).





 Hewlett-Packard Company            - 2 -      HP-UX 11i Version 2: Sep 2004






 remshd(1M)                                                       remshd(1M)




           -R   Authentication based on privileged port numbers and
                authorization of the remote user through equivalent accounts
                must succeed.  For more information on equivalent accounts,
                see hosts.equiv(4).

           -r   Either one of the following must succeed.  The order in
                which the authorization checks are done is as specified
                below.

                1.   Authentication based on privileged port numbers and
                     authorization of the remote user through equivalent
                     accounts (see hosts.equiv(4)).

                2.   Authorization based on Kerberos V5.

           -k   Either one of the following must succeed.  The order in
                which the authorization checks are done is as specified
                below.

                1.   Authorization based on Kerberos V5.

                2.   Authentication based on privileged port numbers and
                     authorization of the remote user through equivalent
                     accounts.

                Note: The -k option is ignored when used with -K, and the -r
                option is ignored when used with -R.  The default option is
                -K.

    Operation    [Toc]    [Back]
      When remshd receives a service request, it responds with the following
      protocol:

           1.   The server checks the client's source port.  If the port is
                not a privileged port, i.e., in the range 512 through 1023,
                and remshd is operating in a non-secure environment, the
                connection is terminated.  In a secure environment, the
                action taken depends on the command line options:

                -R   The source port must be a privileged port otherwise the
                     connection is terminated.

                -r   If the source port is not a privileged port then
                     authorization based on Kerberos must succeed or the
                     connection is terminated.

                -k   The source port must be a privileged port if Kerberos
                     authorization fails.

                -K   No action is taken.




 Hewlett-Packard Company            - 3 -      HP-UX 11i Version 2: Sep 2004






 remshd(1M)                                                       remshd(1M)




           2.   The server reads characters from the connection up to a null
                (\0) byte.  It interprets the resulting string as an ASCII
                number, base 10.

           3.   If the number is non-zero, it is interpreted as the port
                number of a secondary stream to be used for standard error.
                A second connection is then created to the specified port on
                the client's host.  (The source port of this second
                connection will also be checked as specified in item 1.) If
                the first character sent is a null (\0), no secondary
                connection is made, and the standard error from the command
                is sent to the primary stream.  If the secondary connection
                has been made, remshd interprets bytes it receives on that
                socket as signal numbers and passes them to the command as
                signals.  See signal(2).

           4.   The server checks the client's source address and requests
                the corresponding host name (see named(1M),
                gethostbyaddr(3N), and hosts(4)).  If it cannot determine
                the hostname, it uses the dot-notation representation of the
                host address.

           5.   In a secure environment, remshd performs authentication
                based on Kerberos V5.  See sis(5) for details.

           6.   The server reads the client's host account name from the
                first connection.  This is a null-terminated sequence not
                exceeding 16 characters.

           7.   The server reads the server's host account name from the
                first connection.  This is a null-terminated sequence not
                exceeding 16 characters.

           8.   The server reads a command to be passed to the shell from
                the first connection.  The command length is limited by the
                maximum size of the system's argument list.

           9.   remshd then validates the user as follows (all actions take
                place on the host remshd runs on):

                a.   It looks up the user account name (retrieved in step 6)
                     in the password file.  If it finds it, it performs a
                     chdir() to either the user's home directory, if there
                     is one, or to "/."

                b.   If either the lookup or chdir() fails, the connection
                     is terminated (see chdir(2)).

                c.   The connection is also terminated if





 Hewlett-Packard Company            - 4 -      HP-UX 11i Version 2: Sep 2004






 remshd(1M)                                                       remshd(1M)




                     +    the account accessed is administratively locked.
                          The account can be locked by entering a character
                          in the password field that is not part of the set
                          of digits (such as *).  The characters used to
                          represent "digits" are `.' for 0, / for 1, 0
                          through 9 for 2 through 11, `A through Z' for 12
                          through 37, and `a through z' for 38 through 63.
                          (See also passwd(4)).

                     +    in a non-secure environment, the account accessed
                          is protected by a password and, either the
                          password expired or the account on the client's
                          host is not equivalent to the account accessed.

                     +    in a secure environment, the command line options
                          decide whether connection is to be terminated.

                          -K   if Kerberos authorization does not succeed
                               the connection is terminated (see sis(5) for
                               details on authorization).

                          -R   if the client's host is not equivalent to the
                               account accessed, the connection is
                               terminated.

                          -r   if the account is not equivalent to the
                               account accessed, then Kerberos authorization
                               has to succeed or the connection is
                               terminated.

                          -k   if Kerberos authorization fails, then the
                               account has to be equivalent or the
                               connection is terminated.  For more
                               information on equivalent accounts, see
                               hosts.equiv(4).

           10.  A null byte is returned on the primary connection and the
                command line is passed to the normal login shell of the user
                with that shell's -c option.  The shell inherits the network
                connections established by remshd and assumes the normal
                user and group permissions of the user.

                remshd uses the following path when executing the specified
                command:

           /usr/bin:/usr/ccs/bin:/usr/bin/X11:/usr/contrib/bin:/usr/local/bin

           11.  If a secondary socket has been set up, remshd normally exits
                when command standard error and secondary socket standard
                error have both been closed.  If no secondary socket was set
                up, remshd has called an exec(2) function, launched the



 Hewlett-Packard Company            - 5 -      HP-UX 11i Version 2: Sep 2004






 remshd(1M)                                                       remshd(1M)




                command process, and is no longer present.

 SECURITY FEATURES    [Toc]    [Back]
      For a detailed information on all the configuration parameters that
      affect remshd, refer to the security(4) man page.  remshd supports the
      following configuration parameters in the /etc/default/security file:

           +    NOLOGIN
           +    UMASK

 DIAGNOSTICS    [Toc]    [Back]
      All diagnostic messages are returned on the connection associated with
      standard error after which any network connections are closed.  An
      error is indicated by a leading byte with a value of 1 (0 is returned
      in step 9 above upon successful completion of all the steps before the
      command execution).

      Malformed from address    [Toc]    [Back]

           The first socket connection does not use a reserved port or the
           client's host address is not an Internet address.

      Can't get stderr port

           Unable to complete the connection of the secondary socket used
           for error communication.

      Second port not reserved    [Toc]    [Back]

           The secondary socket connection does not use a reserved port.

      Locuser too long    [Toc]    [Back]

           The name of the user account on the client's host is longer than
           16 characters.

      Remuser too long    [Toc]    [Back]

           The name of the user on the server's host is longer than 16
           characters.

      Command too long    [Toc]    [Back]

           The command line passed exceeds the size of the argument list (as
           configured into the system).

      Login incorrect    [Toc]    [Back]

           No password file entry existed for the user name on the server's
           host, or the authentication procedure described above in step 8
           failed.



 Hewlett-Packard Company            - 6 -      HP-UX 11i Version 2: Sep 2004






 remshd(1M)                                                       remshd(1M)




      No remote directory    [Toc]    [Back]

           The chdir command to the home directory or "/" on the server's
           host failed.

      Can't make pipe

           The pipe needed for the standard error output wasn't created.

      No more processes    [Toc]    [Back]

           The server was unable to fork a process to handle the incoming
           connection.

           Next step: Wait a period of time and try again.  If this message
           persists, the server's host may have runaway processes that are
           using all the entries in the process table.

      system call: message

           Error in executing the named system call.  The message specifies
           the cause of the failure.

      shellname: ...

           The user's login shell could not be started.  This message is
           returned on the connection associated with the standard error,
           and is not preceded by a leading byte with a value of 1.  Other
           messages can be returned by the remote command when it executes.

      rcmd: connect : <hostname>: Connection refused.
           This generic message could be due to a number of reasons. One of
           the reasons could be because the entry for shell service is not
           present in /etc/inetd.conf.  This entry may have been removed or
           commented out to prevent non-secure access.

      Kerberos specific errors are listed in sis(5).

 WARNINGS    [Toc]    [Back]
      The integrity of each host and the connecting medium is assumed if the
      "privileged port" authentication procedure is used in a non-secure
      environment or if the command line options -R or -r are used in a
      secure environment.  Although both these methods provide insecure
      access, they are useful in an "open" environment.

      Note that all the information, including any passwords, are passed
      unencrypted between the two hosts when remshd is invoked in a nonsecure
 environment.

      remshd ignores SIGHUP, SIGINT, SIGQUIT, and SIGTERM, so these signal
      numbers can safely be sent to remote commands via the secondary socket



 Hewlett-Packard Company            - 7 -      HP-UX 11i Version 2: Sep 2004






 remshd(1M)                                                       remshd(1M)




      provided by remshd.  Other signal numbers may cause remshd to kill
      itself.

 AUTHOR    [Toc]    [Back]
      remshd was developed by the University of California, Berkeley.

 FILES    [Toc]    [Back]
      $HOME/.rhosts                 User's private equivalence list
      /etc/hosts.equiv              List of equivalent hosts

 SEE ALSO    [Toc]    [Back]
      remsh(1), inetd(1M), named(1M), rcmd(3N), rcmd_af(3N), hosts(4),
      hosts.equiv(4), inetd.conf(4), inetd.sec(4), security(4), services(4),
      sis(5).


 Hewlett-Packard Company            - 8 -      HP-UX 11i Version 2: Sep 2004
[ Back ]
      
      
 Similar pages
Name OS Title
rshd Tru64 The remote shell server daemon
ssh-keygen Tru64 On a Secure Shell server, generates the host key pair. On a Secure Shell client, generates the authe...
ssh-keygen2 Tru64 On a Secure Shell server, generates the host key pair. On a Secure Shell client, generates the authe...
rsh OpenBSD remote shell
rsh_bsd IRIX remote shell
rsh FreeBSD remote shell
remsh HP-UX execute from a remote shell
rexec HP-UX execute from a remote shell
arshell IRIX remote shell for arrays
scp Tru64 Secure Shell client remote copy application
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service