System Administration Commands in.rshd(1M)
NAME
in.rshd, rshd - remote shell server
SYNOPSIS
in.rshd [-k5eciU] [-s tos] [-S keytab] [-M realm]
[-L envvar] host.port
DESCRIPTION
in.rshd is the server for the rsh(1) program. The server
provides remote execution facilities with authentication
based on Kerberos V5 or privileged port numbers.
in.rshd is invoked by inetd(1M) each time a shell service is
requested.
When Kerberos V5 authentication is required (this can be set
with Kerberos-specific options listed below), the following
protocol is initiated:
1. Check Kerberos V5 authentication.
2. Check authorization according to rules in
krb5authrules(5).
3. A null byte is returned on the initial socket and
the command line is passed to the normal login
shell of the user. (The PATH variable is set to
/usr/bin.) The shell inherits the network connec-
tions established by in.rshd.
In order for Kerberos authentication to work, a host/
Kerberos principal must exist for each Fully Qualified
Domain Name associated with the in.rshd server. Each of
these host/ principals must have a keytab entry in the
/etc/krb5/krb5.keytab file on the in.rshd server. An example
principal might be:
host/bigmachine.eng.example.com
See kadmin(1M) or gkadmin(1M) for instructions on adding a
principal to a krb5.keytab file. See for a discussion of
Kerberos authentication.
If Kerberos V5 authentication is not enabled, then in.rshd
executes the following protocol:
SunOS 5.11 Last change: 10 Nov 2005 1
System Administration Commands in.rshd(1M)
1. The server checks the client's source port. If the
port is not in the range 512-1023, the server
aborts the connection. The client's host address
(in hex) and port number (in decimal) are the argu-
ments passed to in.rshd.
2. The server reads characters from the socket up to a
null ( ) byte. The resultant string is interpreted
as an ASCI number, base 10.
3. If the number received in step 2 is non-zero, it is
interpreted as the port number of a secondary
stream to be used for the stderr. A second connec-
tion is then created to the specified port on the
client's machine. The source port of this second
connection is also in the range 512-1023.
4. A null-terminated user name of at most 16 charac-
ters is retrieved on the initial socket. This user
name is interpreted as the user identity on the
client's machine.
5. A null terminated user name of at most 16 charac-
ters is retrieved on the initial socket. This user
name is interpreted as a user identity to use on
the server's machine.
6. A null terminated command to be passed to a shell
is retrieved on the initial socket. The length of
the command is limited by the upper bound on the
size of the system's argument list.
7. in.rshd then validates the user according to the
following steps. The remote user name is looked up
in the password file and a chdir is performed to
the user's home directory. If the lookup fails, the
connection is terminated. If the chdir fails, it
does a chdir to / (root). If the user is not the
superuser, (user ID 0), and if the pamrhostsauth
PAM module is configured for authentication, the
file /etc/hosts.equiv is consulted for a list of
hosts considered "equivalent". If the client's host
name is present in this file, the authentication is
considered successful. See the SECURITY section
below for a discussion of PAM authentication.
If the lookup fails, or the user is the superuser,
then the file .rhosts in the home directory of the
remote user is checked for the machine name and
identity of the user on the client's machine. If
this lookup fails, the connection is terminated
SunOS 5.11 Last change: 10 Nov 2005 2
System Administration Commands in.rshd(1M)
8. A null byte is returned on the initial connection
and the command line is passed to the normal login
shell of the user. The PATH variable is set to
/usr/bin. The shell inherits the network connec-
tions established by in.rshd.
OPTIONS
The following options are supported:
-5 Same as -k, for backwards compatibility
-c Requires Kerberos V5 clients to present a
cryptographic checksum of initial connection
information like the name of the user that the
client is trying to access in the initial
authenticator. This checksum provides addi-
tionl security by preventing an attacker from
changing the initial connection information.
This option is mutually exclusive with the -i
option.
-e Requires the client to encrypt the connection.
-i Ignores authenticator checksums if provided.
This option ignores authenticator checksums
presented by current Kerberos clients to pro-
tect initial connection information. Option -i
is the opposite of option -c.
-k Allows Kerberos V5 authentication with the
.k5login access control file to be trusted. If
this authentication system is used by the
client and the authorization check is passed,
then the user is allowed to log in.
-L envvar List of environment variables that need to be
saved and passed along.
-M realm Uses the indicated Kerberos V5 realm. By
default, the daemon will determine its realm
from the settings in the krb5.conf(4) file.
-s tos Sets the IP TOS option.
SunOS 5.11 Last change: 10 Nov 2005 3
System Administration Commands in.rshd(1M)
-S keytab Sets the KRB5 keytab file to use.
The/etc/krb5/krb5.keytab file is used by
default.
-U Refuses connections that cannot be mapped to a
name through the getnameinfo(3SOCKET) func-
tion.
USAGE
rshd and in.rshd are IPv6-enabled. See ip6(7P). IPv6 is not
currently supported with Kerberos V5 authentication.
The Kerberized rshd service runs on port 544 (kshell). The
corresponding FMRI entry is: :
svc:/network/shell:kshell (rshd with kerberos (ipv4 only))
SECURITY
in.rshd uses pam(3PAM) for authentication, account manage-
ment, and session management. The PAM configuration policy,
listed through /etc/pam.conf, specifies the modules to be
used for in.rshd. Here is a partial pam.conf file with
entries for the rsh command using rhosts authentication,
UNIX account management, and session management module.
rsh auth required pamrhostsauth.so.1
rsh account required pamunixroles.so.1
rsh session required pamunixprojects.so.1
rsh session required pamunixaccount.so.1
rsh session required pamunixsession.so.1
If there are no entries for the rsh service, then the
entries for the "other" service are used. To maintain the
authentication requirement for in.rshd, the rsh entry must
always be configured with the pamrhostsauth.so.1 module.
in.rshd can authenticate using Kerberos V5 authentication or
pam(3PAM). For Kerberized rsh service, the appropriate PAM
service name is krsh.
SunOS 5.11 Last change: 10 Nov 2005 4
System Administration Commands in.rshd(1M)
FILES
/etc/hosts.equiv
$HOME/.k5login File containing Kerberos principals
that are allowed access.
/etc/krb5/krb5.conf Kerberos configuration file.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWrcmds
SEE ALSO
rsh(1), svcs(1), gkadmin(1M), inetadm(1M), inetd(1M),
kadmin(1M), svcadm(1M), pam(3PAM), getnameinfo(3SOCKET),
hosts(4), krb5.conf(4), pam.conf(4), attributes(5),
environ(5), krb5authrules(5), pamauthtokcheck(5),
pamauthtokget(5), pamauthtokstore(5), pamdhkeys(5),
pampasswdauth(5), pamrhostsauth(5), pamunixaccount(5),
pamunixauth(5), pamunixsession(5), smf(5), ip6(7P)
DIAGNOSTICS
The following diagnostic messages are returned on the con-
nection associated with stderr, after which any network con-
nections are closed. An error is indicated by a leading byte
with a value of 1 in step 8 above (0 is returned above upon
successful completion of all the steps prior to the command
execution).
locuser too long
The name of the user on the client's machine is longer
than 16 characters.
remuser too long
The name of the user on the remote machine is longer
than 16 characters.
SunOS 5.11 Last change: 10 Nov 2005 5
System Administration Commands in.rshd(1M)
command too long
The command line passed exceeds the size of the argument
list (as configured into the system).
Hostname for your address unknown.
No entry in the host name database existed for the
client's machine.
Login incorrect.
No password file entry for the user name existed.
Permission denied.
The authentication procedure described above failed.
Can't make pipe.
The pipe needed for the stderr was not created.
Try again.
A fork by the server failed.
NOTES
The authentication procedure used here assumes the integrity
of each client machine and the connecting medium. This is
insecure, but it is useful in an "open" environment.
A facility to allow all data exchanges to be encrypted
should be present.
The pamunix(5) module is no longer supported. Similar func-
tionality is provided by pamauthtokcheck(5),
pamauthtokget(5), pamauthtokstore(5), pamdhkeys(5),
pampasswdauth(5), pamunixaccount(5), pamunixauth(5),
and pamunixsession(5).
The in.rshd service is managed by the service management
facility, smf(5), under the service identifier:
SunOS 5.11 Last change: 10 Nov 2005 6
System Administration Commands in.rshd(1M)
svc:/network/shell:default
Administrative actions on this service, such as enabling,
disabling, or requesting restart, can be performed using
svcadm(1M). Responsibility for initiating and restarting
this service is delegated to inetd(1M). Use inetadm(1M) to
make configuration changes and to view configuration infor-
mation for this service. The service's status can be queried
using the svcs(1) command.
SunOS 5.11 Last change: 10 Nov 2005 7
|
