|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
System Administration Commands in.rshd(1M)
NAME
in.rshd, rshd - remote shell server
SYNOPSIS
in.rshd [-k5eciU] [-s tos] [-S keytab] [-M realm] [-L
env_var] host.port
DESCRIPTION
in.rshd is the server for the rsh(1) program. The server
provides remote execution facilities with authentication
based on Kerberos V5 or privileged port numbers.
in.rshd is invoked by inetd(1M) each time a shell service is
requested.
When Kerberos V5 authentication is required (this can be set
with Kerberos-specific options listed below), the following
protocol is initiated:
1. Check Kerberos V5 authentication.
2. Check authorization according to rules in
krb5_auth_rules(5).
3. A null byte is returned on the initial socket and the
command line is passed to the normal login shell of the
user. (The PATH variable is set to /usr/bin.) The shell
inherits the network connections established by in.rshd.
In order for Kerberos authentication to work, a host/<FQDN>
Kerberos principal must exist for each Fully Qualified
Domain Name associated with the in.rshd server. Each of
these host/<FQDN> principals must have a keytab entry in the
/etc/krb5/krb5.keytab file on the in.rshd server. An example
principal might be:
host/bigmachine.eng.example.com
See kadmin(1M) or gkadmin(1M) for instructions on adding a
principal to a krb5.keytab file. See System Administration
Guide: Security Services for a discussion of Kerberos
authentication.
If Kerberos V5 authentication is not enabled, then in.rshd
executes the following protocol:
1. The server checks the client's source port. If the port
is not in the range 512-1023, the server aborts the
SunOS 5.10 Last change: 10 Nov 2005 1
System Administration Commands in.rshd(1M)
connection. The client's host address (in hex) and port
number (in decimal) are the arguments passed to in.rshd.
2. The server reads characters from the socket up to a null
( ) byte. The resultant string is interpreted as an
ASCII number, base 10.
3. If the number received in step 2 is non-zero, it is
interpreted as the port number of a secondary stream to
be used for the stderr. A second connection is then
created to the specified port on the client's machine.
The source port of this second connection is also in the
range 512-1023.
4. A null-terminated user name of at most 16 characters is
retrieved on the initial socket. This user name is
interpreted as the user identity on the client's
machine.
5. A null terminated user name of at most 16 characters is
retrieved on the initial socket. This user name is
interpreted as a user identity to use on the server's
machine.
6. A null terminated command to be passed to a shell is
retrieved on the initial socket. The length of the com-
mand is limited by the upper bound on the size of the
system's argument list.
7. in.rshd then validates the user according to the follow-
ing steps. The remote user name is looked up in the
password file and a chdir is performed to the user's
home directory. If the lookup fails, the connection is
terminated. If the chdir fails, it does a chdir to /
(root). If the user is not the superuser, (user ID 0),
and if the pam_rhosts_auth PAM module is configured for
authentication, the file /etc/hosts.equiv is consulted
for a list of hosts considered "equivalent". If the
client's host name is present in this file, the authen-
tication is considered successful. See the SECURITY sec-
tion below for a discussion of PAM authentication.
If the lookup fails, or the user is the superuser, then
the file .rhosts in the home directory of the remote
user is checked for the machine name and identity of the
user on the client's machine. If this lookup fails, the
SunOS 5.10 Last change: 10 Nov 2005 2
System Administration Commands in.rshd(1M)
connection is terminated
8. A null byte is returned on the initial connection and
the command line is passed to the normal login shell of
the user. The PATH variable is set to /usr/bin. The
shell inherits the network connections established by
in.rshd.
OPTIONS
The following options are supported:
-5 Same as -k, for backwards compatibility
-c Requires Kerberos V5 clients to present a
cryptographic checksum of initial connection
information like the name of the user that
the client is trying to access in the ini-
tial authenticator. This checksum provides
additionl security by preventing an attacker
from changing the initial connection infor-
mation. This option is mutually exclusive
with the -i option.
-e Requires the client to encrypt the connec-
tion.
-i Ignores authenticator checksums if provided.
This option ignores authenticator checksums
presented by current Kerberos clients to
protect initial connection information.
Option -i is the opposite of option -c.
-k Allows Kerberos V5 authentication with the
.k5login access control file to be trusted.
If this authentication system is used by the
client and the authorization check is
passed, then the user is allowed to log in.
-L env_var List of environment variables that need to
be saved and passed along.
SunOS 5.10 Last change: 10 Nov 2005 3
System Administration Commands in.rshd(1M)
-M realm Uses the indicated Kerberos V5 realm. By
default, the daemon will determine its realm
from the settings in the krb5.conf(4) file.
-s tos Sets the IP TOS option.
-S keytab Sets the KRB5 keytab file to use.
The/etc/krb5/krb5.keytab file is used by
default.
-U Refuses connections that cannot be mapped to
a name through the getnameinfo(3SOCKET)
function.
USAGE
rshd and in.rshd are IPv6-enabled. See ip6(7P). IPv6 is not
currently supported with Kerberos V5 authentication.
The Kerberized rshd service runs on port 544 (kshell). The
corresponding FMRI entry is: :
svc:/network/shell:kshell (rshd with kerberos (ipv4 only))
SECURITY
in.rshd uses pam(3PAM) for authentication, account manage-
ment, and session management. The PAM configuration policy,
listed through /etc/pam.conf, specifies the modules to be
used for in.rshd. Here is a partial pam.conf file with
entries for the rsh command using rhosts authentication,
UNIX account management, and session management module.
rsh auth required pam_rhosts_auth.so.1
rsh account required pam_unix_roles.so.1
rsh session required pam_unix_projects.so.1
rsh session required pam_unix_account.so.1
rsh session required pam_unix_session.so.1
If there are no entries for the rsh service, then the
entries for the "other" service are used. To maintain the
authentication requirement for in.rshd, the rsh entry must
always be configured with the pam_rhosts_auth.so.1 module.
SunOS 5.10 Last change: 10 Nov 2005 4
System Administration Commands in.rshd(1M)
in.rshd can authenticate using Kerberos V5 authentication or
pam(3PAM). For Kerberized rsh service, the appropriate PAM
service name is krsh.
FILES
/etc/hosts.equiv
$HOME/.k5login File containing Kerberos principals
that are allowed access.
/etc/krb5/krb5.conf Kerberos configuration file.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWrcmds |
|_____________________________|_____________________________|
SEE ALSO
rsh(1), svcs(1), gkadmin(1M), inetadm(1M), inetd(1M),
kadmin(1M), svcadm(1M), pam(3PAM), getnameinfo(3SOCKET),
hosts(4), krb5.conf(4), pam.conf(4), attributes(5),
environ(5), krb5_auth_rules(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), pam_rhosts_auth(5), pam_unix_account(5),
pam_unix_auth(5), pam_unix_session(5), smf(5), ip6(7P)
System Administration Guide: Security Services
DIAGNOSTICS
The following diagnostic messages are returned on the con-
nection associated with stderr, after which any network con-
nections are closed. An error is indicated by a leading byte
with a value of 1 in step 8 above (0 is returned above upon
successful completion of all the steps prior to the command
execution).
locuser too long
The name of the user on the client's machine is longer
than 16 characters.
SunOS 5.10 Last change: 10 Nov 2005 5
System Administration Commands in.rshd(1M)
remuser too long
The name of the user on the remote machine is longer
than 16 characters.
command too long
The command line passed exceeds the size of the argument
list (as configured into the system).
Hostname for your address unknown.
No entry in the host name database existed for the
client's machine.
Login incorrect.
No password file entry for the user name existed.
Permission denied.
The authentication procedure described above failed.
Can't make pipe.
The pipe needed for the stderr was not created.
Try again.
A fork by the server failed.
NOTES
The authentication procedure used here assumes the integrity
of each client machine and the connecting medium. This is
insecure, but it is useful in an "open" environment.
SunOS 5.10 Last change: 10 Nov 2005 6
System Administration Commands in.rshd(1M)
A facility to allow all data exchanges to be encrypted
should be present.
The pam_unix(5) module is no longer supported. Similar func-
tionality is provided by pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
and pam_unix_session(5).
The in.rshd service is managed by the service management
facility, smf(5), under the service identifier:
svc:/network/shell:default
Administrative actions on this service, such as enabling,
disabling, or requesting restart, can be performed using
svcadm(1M). Responsibility for initiating and restarting
this service is delegated to inetd(1M). Use inetadm(1M) to
make configuration changes and to view configuration infor-
mation for this service. The service's status can be queried
using the svcs(1) command.
SunOS 5.10 Last change: 10 Nov 2005 7
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:26:32 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
sqlite3 man page (5334 hits)
(openSUSE 10.2)
svn man page (5209 hits)
(FreeBSD 6.2)
adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)
CPAN man page (4607 hits)
(Suse Linux 10.1)
ssh man page (4342 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (2884 hits)
(Solaris 10 11_06)
netcat man page (2717 hits)
(Suse Linux 10.1)
pprosetup man page (2492 hits)
(Solaris 10 11_06)
startproc man page (2471 hits)
(Suse Linux 10.1)
signal man page (2408 hits)
(Suse Linux 10.1)
|
Man Pages 
