1in.rshd(1M)             System Administration Commands             in.rshd(1M)
2
3
4

NAME

6       in.rshd, rshd - remote shell server
7

SYNOPSIS

9       in.rshd [-k5eciU] [-s tos] [-S keytab] [-M realm]
10            [-L env_var] host.port
11
12

DESCRIPTION

14       in.rshd  is  the  server  for  the  rsh(1) program. The server provides
15       remote execution facilities with authentication based on Kerberos V5 or
16       privileged port numbers.
17
18
19       in.rshd is invoked by inetd(1M) each time a shell service is requested.
20
21
22       When  Kerberos V5 authentication is required (this can be set with Ker‐
23       beros-specific options listed below), the following protocol is  initi‐
24       ated:
25
26           1.     Check Kerberos V5 authentication.
27
28           2.     Check     authorization     according     to     rules    in
29                  krb5_auth_rules(5).
30
31           3.     A null byte is returned on the initial socket and  the  com‐
32                  mand  line  is passed to the normal login shell of the user.
33                  (The PATH variable is set to /usr/bin.) The  shell  inherits
34                  the network connections established by in.rshd.
35
36
37       In  order  for  Kerberos authentication to work, a host/<FQDN> Kerberos
38       principal must exist for each Fully Qualified  Domain  Name  associated
39       with the in.rshd server. Each of these host/<FQDN> principals must have
40       a keytab entry in the /etc/krb5/krb5.keytab file on the in.rshd server.
41       An example principal might be:
42
43
44       host/bigmachine.eng.example.com
45
46
47       See kadmin(1M) or gkadmin(1M) for instructions on adding a principal to
48       a krb5.keytab file. See  for a discussion of Kerberos authentication.
49
50
51       If Kerberos V5 authentication is not enabled, then in.rshd executes the
52       following protocol:
53
54           1.     The  server  checks the client's source port. If the port is
55                  not in the range 512-1023, the server aborts the connection.
56                  The client's host address (in hex) and port number (in deci‐
57                  mal) are the arguments passed to in.rshd.
58
59           2.     The server reads characters from the socket up to a null ( )
60                  byte.  The  resultant string is interpreted as an ASCII num‐
61                  ber, base 10.
62
63           3.     If the number received in step 2 is non-zero, it  is  inter‐
64                  preted  as  the port number of a secondary stream to be used
65                  for the stderr. A second connection is then created  to  the
66                  specified  port  on the client's machine. The source port of
67                  this second connection is also in the range 512-1023.
68
69           4.     A null-terminated user name of  at  most  16  characters  is
70                  retrieved  on  the  initial socket. This user name is inter‐
71                  preted as the user identity on the client's machine.
72
73           5.     A null terminated user name of  at  most  16  characters  is
74                  retrieved  on  the  initial socket. This user name is inter‐
75                  preted as a user identity to use on the server's machine.
76
77           6.     A null terminated  command  to  be  passed  to  a  shell  is
78                  retrieved  on  the initial socket. The length of the command
79                  is limited by the upper bound on the size  of  the  system's
80                  argument list.
81
82           7.     in.rshd  then  validates the user according to the following
83                  steps. The remote user name is looked  up  in  the  password
84                  file  and a chdir is performed to the user's home directory.
85                  If the lookup fails, the connection is  terminated.  If  the
86                  chdir fails, it does a chdir to / (root). If the user is not
87                  the superuser, (user ID 0), and if the  pam_rhosts_auth  PAM
88                  module   is   configured   for   authentication,   the  file
89                  /etc/hosts.equiv is consulted for a list of hosts considered
90                  "equivalent".  If  the client's host name is present in this
91                  file, the authentication is considered successful.  See  the
92                  SECURITY  section  below for a discussion of PAM authentica‐
93                  tion.
94
95                  If the lookup fails, or the user is the superuser, then  the
96                  file  .rhosts  in  the  home directory of the remote user is
97                  checked for the machine name and identity of the user on the
98                  client's  machine.  If  this lookup fails, the connection is
99                  terminated
100
101           8.     A null byte is returned on the initial  connection  and  the
102                  command  line  is  passed  to  the normal login shell of the
103                  user. The PATH variable is set to /usr/bin. The shell inher‐
104                  its the network connections established by in.rshd.
105

OPTIONS

107       The following options are supported:
108
109       -5            Same as -k, for backwards compatibility
110
111
112       -c            Requires  Kerberos  V5 clients to present a cryptographic
113                     checksum of initial connection information like the  name
114                     of  the  user  that the client is trying to access in the
115                     initial authenticator. This checksum  provides  additionl
116                     security by preventing an attacker from changing the ini‐
117                     tial connection  information.  This  option  is  mutually
118                     exclusive with the -i option.
119
120
121       -e            Requires the client to encrypt the connection.
122
123
124       -i            Ignores  authenticator checksums if provided. This option
125                     ignores authenticator checksums presented by current Ker‐
126                     beros  clients to protect initial connection information.
127                     Option -i is the opposite of option -c.
128
129
130       -k            Allows  Kerberos  V5  authentication  with  the  .k5login
131                     access control file to be trusted. If this authentication
132                     system is used by the client and the authorization  check
133                     is passed, then the user is allowed to log in.
134
135
136       -L env_var    List  of  environment variables that need to be saved and
137                     passed along.
138
139
140       -M realm      Uses the indicated Kerberos V5  realm.  By  default,  the
141                     daemon  will determine its realm from the settings in the
142                     krb5.conf(4) file.
143
144
145       -s tos        Sets the IP TOS option.
146
147
148       -S keytab     Sets     the     KRB5     keytab     file     to     use.
149                     The/etc/krb5/krb5.keytab file is used by default.
150
151
152       -U            Refuses  connections  that  cannot  be  mapped  to a name
153                     through the getnameinfo(3SOCKET) function.
154
155

USAGE

157       rshd and in.rshd are IPv6-enabled. See ip6(7P). IPv6 is  not  currently
158       supported with Kerberos V5 authentication.
159
160
161       The  Kerberized rshd service runs on port 544 (kshell). The correspond‐
162       ing FMRI entry is: :
163
164         svc:/network/shell:kshell (rshd with kerberos (ipv4 only))
165
166
167

SECURITY

169       in.rshd uses pam(3PAM) for authentication, account management, and ses‐
170       sion   management.   The   PAM  configuration  policy,  listed  through
171       /etc/pam.conf, specifies the modules to be used for in.rshd. Here is  a
172       partial  pam.conf  file  with  entries for the rsh command using rhosts
173       authentication, UNIX account management, and session management module.
174
175
176
177
178       rsh        auth       required   pam_rhosts_auth.so.1
179
180       rsh        account    required   pam_unix_roles.so.1
181       rsh        session    required   pam_unix_projects.so.1
182       rsh        session    required   pam_unix_account.so.1
183
184       rsh        session    required   pam_unix_session.so.1
185
186
187
188       If there are no entries for the rsh service, then the entries  for  the
189       "other"  service  are  used. To maintain the authentication requirement
190       for  in.rshd,  the  rsh  entry  must  always  be  configured  with  the
191       pam_rhosts_auth.so.1 module.
192
193
194       in.rshd can authenticate using Kerberos V5 authentication or pam(3PAM).
195       For Kerberized rsh service, the appropriate PAM service name is krsh.
196

FILES

198       /etc/hosts.equiv
199
200       $HOME/.k5login         File containing  Kerberos  principals  that  are
201                              allowed access.
202
203
204       /etc/krb5/krb5.conf    Kerberos configuration file.
205
206

ATTRIBUTES

208       See attributes(5) for descriptions of the following attributes:
209
210
211
212
213       ┌─────────────────────────────┬─────────────────────────────┐
214       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
215       ├─────────────────────────────┼─────────────────────────────┤
216       │Availability                 │SUNWrcmds                    │
217       └─────────────────────────────┴─────────────────────────────┘
218

SEE ALSO

220       rsh(1),   svcs(1),  gkadmin(1M),  inetadm(1M),  inetd(1M),  kadmin(1M),
221       svcadm(1M), pam(3PAM),  getnameinfo(3SOCKET),  hosts(4),  krb5.conf(4),
222       pam.conf(4),   attributes(5), environ(5), krb5_auth_rules(5), pam_auth‐
223       tok_check(5), pam_authtok_get(5), pam_authtok_store(5),  pam_dhkeys(5),
224       pam_passwd_auth(5),       pam_rhosts_auth(5),      pam_unix_account(5),
225       pam_unix_auth(5), pam_unix_session(5), smf(5), ip6(7P)
226
227
228
229

DIAGNOSTICS

231       The following diagnostic messages are returned on the connection  asso‐
232       ciated  with stderr, after which any network connections are closed. An
233       error is indicated by a leading byte with a value of 1 in step 8  above
234       (0  is returned above upon successful completion of all the steps prior
235       to the command execution).
236
237       locuser too long
238
239           The name of the user on the client's  machine  is  longer  than  16
240           characters.
241
242
243       remuser too long
244
245           The  name of the user on the remote machine is longer than 16 char‐
246           acters.
247
248
249       command too long
250
251           The command line passed exceeds the size of the argument  list  (as
252           configured into the system).
253
254
255       Hostname for your address unknown.
256
257           No  entry  in  the  host  name  database  existed  for the client's
258           machine.
259
260
261       Login incorrect.
262
263           No password file entry for the user name existed.
264
265
266       Permission denied.
267
268           The authentication procedure described above failed.
269
270
271       Can't make pipe.
272
273           The pipe needed for the stderr was not created.
274
275
276       Try again.
277
278           A fork by the server failed.
279
280

NOTES

282       The authentication procedure used here assumes the  integrity  of  each
283       client  machine  and the connecting medium. This is insecure, but it is
284       useful in an "open" environment.
285
286
287       A facility to allow all  data  exchanges  to  be  encrypted  should  be
288       present.
289
290
291       The pam_unix(5) module is no longer supported. Similar functionality is
292       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
293       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
294       pam_unix_auth(5), and pam_unix_session(5).
295
296
297       The in.rshd service is managed  by  the  service  management  facility,
298       smf(5), under the service identifier:
299
300         svc:/network/shell:default
301
302
303
304
305       Administrative actions on this service, such as enabling, disabling, or
306       requesting restart, can be performed using  svcadm(1M).  Responsibility
307       for  initiating  and restarting this service is delegated to inetd(1M).
308       Use inetadm(1M) to make configuration changes and to view configuration
309       information for this service. The service's status can be queried using
310       the svcs(1) command.
311
312
313
314SunOS 5.11                        10 Nov 2005                      in.rshd(1M)
Impressum