Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
in.rshd(1M)		System Administration Commands		   in.rshd(1M)

       in.rshd,	rshd - remote shell server

       in.rshd	[-k5eciU]  [-s	tos]  [-S  keytab]  [-M	 realm]	 [-L  env_var]

       in.rshd is the server for the rsh(1) program. The server	 provides  re-
       mote  execution	facilities with	authentication based on	Kerberos V5 or
       privileged port numbers.

       in.rshd is invoked by inetd(1M) each time a shell service is requested.

       When Kerberos V5	authentication is required (this can be	set with  Ker-
       beros-specific  options listed below), the following protocol is	initi-

       1.  Check Kerberos V5 authentication.

       2.  Check authorization according to rules in krb5_auth_rules(5).

       3.  A null byte is returned on the initial socket and the command  line
	   is passed to	the normal login shell of the user. (The PATH variable
	   is set to /usr/bin.)	The shell inherits the network connections es-
	   tablished by	in.rshd.

       If Kerberos V5 authentication is	not enabled, then in.rshd executes the
       following protocol:

       1.  The server checks the client's source port. If the port is  not  in
	   the range 512-1023, the server aborts the connection.  The client's
	   host	address	(in hex) and port number (in decimal)  are  the	 argu-
	   ments passed	to in.rshd.

       2.  The	server reads characters	from the socket	up to a	null ( ) byte.
	   The resultant string	is interpreted as an ASCII number, base	10.

       3.  If the number received in step 2 is non-zero, it is interpreted  as
	   the	port number of a secondary stream to be	used for the stderr. A
	   second connection is	then created to	 the  specified	 port  on  the
	   client's machine. The source	port of	this second connection is also
	   in the range	512-1023.

       4.  A null-terminated user name of at most 16 characters	 is  retrieved
	   on  the  initial  socket. This user name is interpreted as the user
	   identity on the client's machine.

       5.  A null terminated user name of at most 16 characters	 is  retrieved
	   on  the  initial  socket.  This  user name is interpreted as	a user
	   identity to use on the server's machine.

       6.  A null terminated command to	be passed to a shell is	 retrieved  on
	   the	initial	 socket.   The length of the command is	limited	by the
	   upper bound on the size of the system's argument list.

       7.  in.rshd then	validates the user according to	the  following	steps.
	   The	remote user name is looked up in the password file and a chdir
	   is performed	to the user's home directory. If the lookup fails, the
	   connection  is terminated. If the chdir fails, it does a chdir to /
	   (root). If the user is not the superuser, (user ID 0), and  if  the
	   pam_rhosts_auth   PAM  module is configured for authentication, the
	   file	/etc/hosts.equiv is consulted for a list of  hosts  considered
	   "equivalent".  If  the  client's host name is present in this file,
	   the authentication is considered successful.	See the	SECURITY  sec-
	   tion	 below for a discussion	of  PAM	authentication.

	   If  the  lookup  fails, or the user is the superuser, then the file
	   .rhosts in the home directory of the	remote user is checked for the
	   machine  name  and identity of the user on the client's machine. If
	   this	lookup fails, the connection is	terminated

       8.  A null byte is returned on the initial connection and  the  command
	   line	 is  passed  to	 the  normal login shell of the	user. The PATH
	   variable is set to /usr/bin.	 The shell inherits the	 network  con-
	   nections established	by in.rshd.

       The following options are supported:

       -5	       Same as -k, for backwards compatibility

       -c	       Requires	Kerberos V5 clients to present a cryptographic
		       checksum	of initial  connection	information  like  the
		       name  of	 the user that the client is  trying to	access
		       in the initial authenticator.  This  checksum  provides
		       additionl  security  by	preventing  an	attacker  from
		       changing	the initial connection information.  This  op-
		       tion is mutually	exclusive with the -i option.

       -e	       Requires	the client to encrypt the connection.

       -i	       Ignores	authenticator  checksums if provided. This op-
		       tion ignores authenticator checksums presented by  cur-
		       rent  Kerberos  clients	to  protect initial connection
		       information. Option -i is the opposite of option	-c.

       -k	       Allows Kerberos V5 authentication with the .k5login ac-
		       cess control file to be trusted.	If this	authentication
		       system is used by  the  client  and  the	 authorization
		       check is	passed,	then the user is allowed to log	in.

       -L env_var      List of environment variables that need to be saved and
		       passed along.

       -M realm	       Uses the	indicated Kerberos V5 realm. By	 default,  the
		       daemon  will  determine	its realm from the settings in
		       the krb5.conf(4)	file.

       -s tos	       Sets the	IP TOS option.

       -S keytab       Sets    the    KRB5     keytab	  file	   to	  use.
		       The/etc/krb5/krb5.keytab	file is	used by	default.

       -U	       Refuses	connections  that  cannot  be mapped to	a name
		       through the getnameinfo(3SOCKET)	function.

       rshd and	in.rshd	are IPv6-enabled. See ip6(7P). IPv6 is	not  currently
       supported with Kerberos V5 authentication.

       The  Kerberized rshd service runs on port 544 (kshell). The correspond-
       ing FMRI	entry is: :

       svc:/network/shell:kshell (rshd with kerberos (ipv4 only))

       in.rshd uses pam(3PAM) for authentication, account management, and ses-
       sion   management.    The  PAM  configuration  policy,  listed  through
       /etc/pam.conf, specifies	the modules to be used for in.rshd. Here is  a
       partial pam.conf	file with entries for the rsh command using rhosts au-
       thentication, UNIX account management, and session management module.

       rsh	 auth	   required

       rsh	 account   required
       rsh	 session   required
       rsh	 session   required

       rsh	 session   required

       If there	are no entries for the rsh service, then the entries  for  the
       "other"	service	 are  used. To maintain	the authentication requirement
       for  in.rshd,  the  rsh	entry  must  always  be	 configured  with  the module.

       in.rshd can authenticate	using Kerberos V5 authentication or pam(3PAM).
       For Kerberized rsh service, the appropriate PAM service name is "krsh".


       $HOME/.k5login	       File containing Kerberos	 principals  that  are
			       allowed access.

       /etc/krb5/krb5.conf     Kerberos	configuration file.

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWrcmds			   |

       rsh(1),	svcs(1),  inetadm(1M),	inetd(1M), svcadm(1M), pam(3PAM), get-
       nameinfo(3SOCKET), hosts(4), krb5.conf(4), pam.conf(4),	attributes(5),
       environ(5),    krb5_auth_rules(5),    pam_authtok_check(5),   pam_auth-
       tok_get(5),  pam_authtok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5),
       pam_rhosts_auth(5),	  pam_unix_account(5),	     pam_unix_auth(5),
       pam_unix_session(5), smf(5), ip6(7P)

       The following diagnostic	messages are returned on the connection	 asso-
       ciated with  stderr, after which	any network connections	are closed. An
       error is	indicated by a leading byte with a value of 1 in step 8	 above
       (0  is returned above upon successful completion	of all the steps prior
       to the command execution).

       locuser too long

	   The name of the user	on the client's	 machine  is  longer  than  16

       remuser too long

	   The	name of	the user on the	remote machine is longer than 16 char-

       command too long

	   The command line passed exceeds the size of the argument  list  (as
	   configured into the system).

       Hostname	for your address unknown.

	   No  entry  in  the  host name database existed for the client's ma-

       Login incorrect.

	   No password file entry for the user name existed.

       Permission denied.

	   The authentication procedure	described above	failed.

       Can't make pipe.

	   The pipe needed for the stderr was not created.

       Try again.

	   A fork by the server	failed.

       The authentication procedure used here assumes the  integrity  of  each
       client  machine and the connecting medium.  This	is insecure, but it is
       useful in an "open" environment.

       A facility to allow all	data  exchanges	 to  be	 encrypted  should  be

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided	  by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth-
       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).

       The in.rshd service is managed  by  the	service	 management  facility,
       smf(5), under the service identifier:


       Administrative actions on this service, such as enabling, disabling, or
       requesting restart, can be performed using  svcadm(1M).	Responsibility
       for  initiating	and restarting this service is delegated to inetd(1M).
       Use inetadm(1M) to make configuration changes and to view configuration
       information for this service. The service's status can be queried using
       the svcs(1) command.

SunOS 5.10			  4 Nov	2004			   in.rshd(1M)


Want to link to this manual page? Use this URL:

home | help