remshd(1M)remshd(1M)NAMEremshd - remote shell server
SYNOPSIS
In Kerberos V5 Network Authentication Environments
DESCRIPTION
The command is the server for the and commands, and the function in
case of IPv6 systems (see rcp(1), rdist(1), remsh(1), rcmd(3N), and
rcmd_af(3N)).
allows two kinds of authentication methods:
1. Authentication based on privileged port numbers where the
client's source port must be in the range 512 through
1023. In this case assumes it is operating in normal or
non-secure environment.
2. Authentication based on Kerberos V5. In this case
assumes that it is operating in a Kerberos V5 Network
Authentication, i.e., secure environment.
The daemon invokes if a service request is received at ports indicated
by or services specified in (see inetd(1M) and services(4)). Service
requests arriving at the port assume a secure environment and expect
Kerberos authentication to take place.
To start from the daemon in a non-secure environment, the configuration
file must contain an entry as follows:
In a secure environment, must contain an entry:
The configuration lines above will start in mode. To run in mode, the
following line must be present in the file:
That is, for IPv6 applications, the protocol has to be changed to See
inetd.conf(4) for more information.
To prevent non-secure access, the entry for should be commented out in
Any non-Kerberos access will be denied since the entry for the port
indicated by has now been removed or commented out. In such a situa‐
tion, a generic error message,
is displayed. See for more details.
Note that by commenting out the entry for the port, access by other
clients such as will also be prevented.
Options
recognizes the following options.
Forbid authentication based on the user's
file unless the user is a superuser.
Disable transport-level keep-alive messages.
Otherwise, the messages are enabled. The keep-alive mes‐
sages allow sessions to be timed out if the client
crashes or becomes unreachable.
With this option enabled,
returns immediately after its child process gets killed;
it does not wait for all its sub child processes to die.
This in turn makes not wait even when the sub child pro‐
cesses are running remotely. As a result, will not
appear hung. It is recommended that users do not use the
option if they want to wait until the completion of all
the sub child processes. Otherwise, the user may get an
unexpected result.
This option is applicable only to with a secondary socket
connection.
Note that even with the option enabled, will exit if com‐
mand standard error is closed.
This option is used in multi-homed NIS systems. It disables
from doing a reverse lookup of the client's IP address;
see gethostbyname(3N). It can be used to circumvent an
NIS limitation with multi-homed hosts.
In a secure environment, will recognize the following additional
options:
Ignore checksum verification. This option is used to achieve
interoperability between clients and servers using dif‐
ferent checksum calculation methods. For example, the
checksum calculation in an application developed with
Kerberos V5 Beta 4 API is different from the calculation
in a Kerberos V5-1.0 application.
Authorization based on Kerberos V5 must succeed or access
will be rejected (see sis(5) for details on authoriza‐
tion).
Authentication based on privileged port numbers and
authorization of the remote user through equivalent
accounts must succeed. For more information on equiva‐
lent accounts, see hosts.equiv(4).
Either one of the following must succeed. The order in which
the
authorization checks are done is as specified below.
1. Authentication based on privileged port numbers
and authorization of the remote user through
equivalent accounts (see hosts.equiv(4)).
2. Authorization based on Kerberos V5.
Either one of the following must succeed. The order in which
the
authorization checks are done is as specified below.
1. Authorization based on Kerberos V5.
2. Authentication based on privileged port numbers
and authorization of the remote user through
equivalent accounts.
Note: The option is ignored when used with and the option
is ignored when used with The default option is
Operation
When receives a service request, it responds with the following proto‐
col:
1. The server checks the client's source port. If the port
is not a privileged port, that is, in the range 512
through 1023, and is operating in a non-secure environ‐
ment, the connection is terminated. In a secure environ‐
ment, the action taken depends on the command line
options:
The source port must be a privileged port otherwise
the connection is terminated.
If the source port is not a privileged port then
authorization based on Kerberos must succeed or
the connection is terminated.
The source port must be a privileged port if
Kerberos authorization fails.
No action is taken.
2. The server reads characters from the connection up to a
null byte. It interprets the resulting string as an
ASCII number, base 10.
3. If the number is non-zero, it is interpreted as the port
number of a secondary stream to be used for standard
error. A second connection is then created to the speci‐
fied port on the client's host. (The source port of this
second connection will also be checked as specified in
item 1.) If the first character sent is a null no sec‐
ondary connection is made, and the standard error from
the command is sent to the primary stream. If the sec‐
ondary connection has been made, interprets bytes it
receives on that socket as signal numbers and passes them
to the command as signals. See signal(2).
4. The server checks the client's source address and
requests the corresponding host name (see named(1M),
gethostbyaddr(3N), and hosts(4)). If it cannot determine
the hostname, it uses the dot-notation representation of
the host address.
5. In a secure environment performs authentication based on
Kerberos V5. See sis(5) for details.
6. The server reads the client's host account name from the
first connection. This is a null-terminated sequence not
exceeding 256 characters.
7. The server reads the server's host account name from the
first connection. This is a null-terminated sequence not
exceeding 256 characters.
8. The server reads a command to be passed to the shell from
the first connection. The command length is limited by
the maximum size of the system's argument list.
9. then validates the user as follows (all actions take
place on the host runs on):
a. It looks up the user account name (retrieved in
step 6) in the password file. If it finds it, it
performs a to the user's home directory, if there
is one, or to "/."
b. If either the lookup or fails, the connection is
terminated (see chdir(2)).
c. The connection is also terminated if
· the account accessed is administratively
locked. The account can be locked by enter‐
ing a character in the password field that
is not part of the set of digits (such as
*). The characters used to represent "dig‐
its" are `.' for 0, / for 1, 0 through 9
for 2 through 11, `A through Z' for 12
through 37, and `a through z' for 38
through 63. (See also passwd(4)).
· in a non-secure environment, the account
accessed is protected by a password and,
either the password expired or the account
on the client's host is not equivalent to
the account accessed.
· in a secure environment, the command line
options decide whether connection is to be
terminated.
if Kerberos authorization does not succeed
the connection is
terminated (see sis(5) for details
on authorization).
if the client's host is not equivalent
to the account accessed, the connec‐
tion is terminated.
if the account is not
equivalent to the account accessed,
then Kerberos authorization has to
succeed or the connection is termi‐
nated.
if Kerberos authorization fails, then the
account has to
be equivalent or the connection is
terminated. For more information on
equivalent accounts, see
hosts.equiv(4).
10. A null byte is returned on the primary connection and the
command line is passed to the normal login shell of the
user with that shell's option. The shell inherits the
network connections established by and assumes the normal
user and group permissions of the user.
uses the following path when executing the specified com‐
mand:
11. If a secondary socket has been set up, normally exits
when command standard error and secondary socket standard
error have both been closed. If no secondary socket was
set up, has called an function, launched the command
process, and is no longer present.
SECURITY FEATURES
For detailed information on all the configuration parameters that
affect see security(4). supports the following configuration parame‐
ters in the file:
·
·
DIAGNOSTICS
All diagnostic messages are returned on the connection associated with
standard error after which any network connections are closed. An
error is indicated by a leading byte with a value of 1 (0 is returned
in step 9 above upon successful completion of all the steps before the
command execution).
The first socket connection does not use a reserved port
or the
client's host address is not an Internet address.
Unable to complete the connection of the secondary socket
used for error communication.
The secondary socket connection does not use a reserved
port.
The name of the user account on the client's host
is longer than 256 characters.
The name of the user on the server's host is longer than
256 characters.
The command line passed exceeds the size of the argument
list
(as configured into the system).
No password file entry existed for the user name on the
server's host,
or the authentication procedure described above in step 8
failed.
The
command to the home directory or "/" on the server's host
failed.
The pipe needed for the standard error output wasn't cre‐
ated.
The server was unable to fork a process
to handle the incoming connection.
Wait a period of time and try again. If this message persists,
the server's host may have runaway processes that are using all
the entries in the process table.
Error in executing the named system call.
The message specifies the cause of the failure.
The user's login shell could not be started.
This message is returned on the connection associated with the
standard error and is not preceded by a leading byte with a
value of 1. Other messages can be returned by the remote com‐
mand when it executes.
This generic message could be due to a number of reasons. One of the
reasons could be because the entry for shell service is not
present in This entry may have been removed or commented out to
prevent non-secure access.
Kerberos specific errors are listed in sis(5).
WARNINGS
The integrity of each host and the connecting medium is assumed if the
"privileged port" authentication procedure is used in a non-secure
environment or if the command line options are used in a secure envi‐
ronment. Although both these methods provide insecure access, they are
useful in an "open" environment.
Note that all the information, including any passwords, are passed
unencrypted between the two hosts when is invoked in a non-secure envi‐
ronment.
ignores and so these signal numbers can safely be sent to remote com‐
mands via the secondary socket provided by Other signal numbers may
cause to kill itself.
AUTHOR
was developed by the University of California, Berkeley.
FILES
User's private equivalence list
List of equivalent hosts
SEE ALSOrcp(1), rdist(1), remsh(1), inetd(1M), named(1M), chdir(2), signal(2),
gethostbyaddr(3N), gethostbyname(3N), rcmd(3N), rcmd_af(3N), hosts(4),
hosts.equiv(4), inetd.conf(4), inetd.sec(4), passwd(4), security(4),
services(4), sis(5).
remshd(1M)