rshd(8sec)
Kerberized remote shell server
Synopsis
rshd [-aknxL]
Options
-a
Verify the identify of the remote host. This option cannot be used with the -k option.
-k
Allow Kerberos V5 authentication based on the private authorization list maintained in the .k5login file. If this authentication method is used by the client and
the authorization check is passed, the user is allowed to log in.
-n
Disable keep-alive messages.
-x
Require the client to encrypt the connection. This option is subject to export control.
-L
All successful accesses are logged to syslogd(8) as auth.info messages.
Description
The rshd server is the server for the rcmd(3) routine and, consequently, for the rsh(8sec) program. The rshd server provides remote execution facilities with authentication based on either privileged port numbers from trusted hosts or on the Kerberos authentication system. rshd is configured by command-line arguments passed by inetd(8).The rshd server is invoked by inetd(8c) when inetd(8c) receives a connection on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf configuration line for rshd might be as follows:
kshell stream tcp nowait root /opt/dcelocal/etc/rshd rshd -k
To prevent non-secure access, comment out the entry for shell in /etc/inetd.conf to deny non-Kerberos access. If non-Kerberos access is requested, the following error message is displayed:
rcmd: connect hostname : Connection refused
When rshd receives a service request, it initiates the following protocol:
1. Check authentication.
2. Check authorization via the access-control file .k5login the users home directory.
3. Return a null byte on the initial socket and pass the command line to the normal login shell of the user. This shell inherits the network connections established by rshd.
If the rsh client requests ticket forwarding, rsh invokes k5dcelogin(8sec) to promote the forwarded Kerberos credentials to DCE credentials. k5dcelogin then invokes the specified command.
Transport-level keepalive messages are enabled unless the -n option is specified. The use of keepalive messages allows sessions to be timed out if the client crashes or becomes unreachable.
Diagnostics
All diagnostic messages are returned on the connection associated with standard error after which any network connections are closed. An error is indicated by a leading byte with a value of 1 (0 is returned on successful completion of all the steps before the command execution.)
Locuser too long.
The name of the user on the clients machine is longer than 16 characters.
Ruser too long.
The name of the user on the remote machine is longer than 16 characters.
Command too long.
The command line passed exceeds the size of the argument list (as configured into the system).
Login incorrect.
No password file entry for the user name existed.
Remote directory.
The chdir command to the home directory failed.
Permission denied.
The authentication procedure described above failed.
Cant make pipe.
The pipe needed for stderr wasnt created.
Cant fork; try again.
A fork by the server failed.
shellname: ...
The users login shell could not be started. This message is returned on the connection associated with stderr and is not preceded by a flag
byte.
Authentication failed: error_message
An error occurred during Kerberos authentication. error_message is a Kerberos-specific error message.
Related Information
rcmd(3X)