in.rshd, rshd - remote shell server


     in.rshd host.port


     in.rshd is the server for the rsh(1)  program.   The  server
     provides  remote  execution  facilities  with authentication
     based on privileged port numbers.

     in.rshd is invoked by inetd(1M) each time a shell service is
     requested, and executes the following protocol:

     1. The server checks the client's source port. If  the  port
        is  not in the range 512-1023, the server aborts the con-
        nection.  The client's host address  (in  hex)  and  port
        number (in decimal) are the arguments passed to in.rshd.

     2. The server reads characters from the socket up to a  null
        (  \0  ) byte.  The resultant string is interpreted as an
        ASCII number, base 10.

     3. If the number received in  step  2  is  non-zero,  it  is
        interpreted  as  the port number of a secondary stream to
        be used for the  stderr.  A  second  connection  is  then
        created  to  the  specified port on the client's machine.
        The source port of this second connection is also in  the
        range 512-1023.

     4. A null-terminated user name of at most 16  characters  is
        retrieved  on  the  initial  socket.   This  user name is
        interpreted as the user identity on the client's machine.

     5. A null terminated user name of at most 16  characters  is
        retrieved  on  the  initial  socket.   This  user name is
        interpreted as a user identity to  use  on  the  server's

     6. A null terminated command to be  passed  to  a  shell  is
        retrieved  on the initial socket.  The length of the com-
        mand is limited by the upper bound on  the  size  of  the
        system's argument list.

     7. in.rshd then validates the user according to the  follow-
        ing steps. The remote user name is looked up in the pass-
        word file and a chdir is performed  to  the  user's  home
        directory.  If  the  lookup fails, the connection is ter-
        minated. If the chdir fails, it does a chdir to / (root).
        If the user is not the superuser, (user ID 0), and if the
        pam_rhosts_auth  PAM module is configured for authentica-
        tion,  the  file /etc/hosts.equiv is consulted for a list
        of hosts considered "equivalent". If  the  client's  host
        name  is present in this file, the authentication is con-
        sidered successful. See the SECURITY section  below for a
        discussion of  PAM authentication.

        If the lookup fails, or the user is the  superuser,  then
        the file .rhosts in the home directory of the remote user
        is checked for the machine name and identity of the  user
        on  the  client's machine. If this lookup fails, the con-
        nection is terminated

     8. A null byte is returned on the connection associated with
        the  stderr  and the command line is passed to the normal
        login shell of the user. (The PATH  variable  is  set  to
        /usr/bin.)   The  shell  inherits the network connections
        established by in.rshd.


     rshd and in.rshd are IPv6-enabled. See ip6(7P).


     in.rshd uses pam(3PAM) for authentication,  account  manage-
     ment, and session management.  The PAM configuration policy,
     listed through /etc/pam.conf, specifies the  modules  to  be
     used  for  in.rshd.  Here  is  a  partial pam.conf file with
     entries for the rsh  command  using  rhosts  authentication,
     UNIX account management, and session management module.

     rsh       auth      required

     rsh       account   required
     rsh       session   required
     rsh       session   required

     rsh       session   required

     If there are no  entries  for  the  rsh  service,  then  the
     entries  for  the  "other" service are used. To maintain the
     authentication requirement for in.rshd, the rsh  entry  must
     always be configured with the module.




     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWrcmds                   |


     rsh(1),  inetd(1M),  pam(3PAM),   hosts(4),   inetd.conf(4),
     pam.conf(4),            attributes(5),           environ(5),
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_rhosts_auth(5),    pam_unix(5),     pam_unix_account(5),
     pam_unix_auth(5), pam_unix_session(5)ip6(7P)


     The following diagnostic messages are returned on  the  con-
     nection  associated  with   stderr,  after which any network
     connections are closed. An error is indicated by  a  leading
     byte  with a value of 1 in step 8 above (0 is returned above
     upon successful completion of all the  steps  prior  to  the
     command execution).

          locuser too long
                The name of the user on the client's  machine  is
                longer than 16 characters.

          remuser too long
                The name of the user on  the  remote  machine  is
                longer than 16 characters.

          command too long
                The command line passed exceeds the size  of  the
                argument list (as configured into the system).

          Hostname for your address unknown.
                No entry in the host name  database  existed  for
                the client's machine.

          Login incorrect.
                No password file entry for the user name existed.

          Permission denied.
                The  authentication  procedure  described   above

          Can't make pipe.
                The pipe needed for the stderr was not created.

          Try again.
                A fork by the server failed.


     The authentication procedure used here assumes the integrity
     of  each  client machine and the connecting medium.  This is
     insecure, but it is useful in an "open" environment.

     A facility to allow  all  data  exchanges  to  be  encrypted
     should be present.

     The pam_unix(5) module might not be supported  in  a  future
     release.    Similar    functionality    is    provided    by
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix_account(5),          pam_unix_auth(5),          and

Man(1) output converted with man2html