Annotation of src/libexec/rshd/rshd.8, Revision 1.1.1.2
1.1.1.2 ! cgd 1: .\" Copyright (c) 1983, 1989, 1991, 1993
! 2: .\" The Regents of the University of California. All rights reserved.
1.1 cgd 3: .\"
4: .\" Redistribution and use in source and binary forms, with or without
5: .\" modification, are permitted provided that the following conditions
6: .\" are met:
7: .\" 1. Redistributions of source code must retain the above copyright
8: .\" notice, this list of conditions and the following disclaimer.
9: .\" 2. Redistributions in binary form must reproduce the above copyright
10: .\" notice, this list of conditions and the following disclaimer in the
11: .\" documentation and/or other materials provided with the distribution.
12: .\" 3. All advertising materials mentioning features or use of this software
13: .\" must display the following acknowledgement:
14: .\" This product includes software developed by the University of
15: .\" California, Berkeley and its contributors.
16: .\" 4. Neither the name of the University nor the names of its contributors
17: .\" may be used to endorse or promote products derived from this software
18: .\" without specific prior written permission.
19: .\"
20: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30: .\" SUCH DAMAGE.
31: .\"
1.1.1.2 ! cgd 32: .\" @(#)rshd.8 8.1 (Berkeley) 6/4/93
1.1 cgd 33: .\"
1.1.1.2 ! cgd 34: .Dd June 4, 1993
1.1 cgd 35: .Dt RSHD 8
36: .Os BSD 4.2
37: .Sh NAME
38: .Nm rshd
39: .Nd remote shell server
40: .Sh SYNOPSIS
41: .Nm rshd
1.1.1.2 ! cgd 42: .Op Fl alnL
1.1 cgd 43: .Sh DESCRIPTION
44: The
45: .Nm rshd
46: server
47: is the server for the
48: .Xr rcmd 3
49: routine and, consequently, for the
50: .Xr rsh 1
51: program. The server provides remote execution facilities
52: with authentication based on privileged port numbers from trusted hosts.
53: .Pp
54: The
55: .Nm rshd
56: server
57: listens for service requests at the port indicated in
58: the ``cmd'' service specification; see
59: .Xr services 5 .
60: When a service request is received the following protocol
61: is initiated:
62: .Bl -enum
63: .It
64: The server checks the client's source port.
65: If the port is not in the range 512-1023, the server
66: aborts the connection.
67: .It
68: The server reads characters from the socket up
69: to a null (`\e0') byte. The resultant string is
70: interpreted as an
71: .Tn ASCII
72: number, base 10.
73: .It
74: If the number received in step 2 is non-zero,
75: it is interpreted as the port number of a secondary
76: stream to be used for the
77: .Em stderr .
78: A second connection is then created to the specified
79: port on the client's machine. The source port of this
80: second connection is also in the range 512-1023.
81: .It
82: The server checks the client's source address
83: and requests the corresponding host name (see
84: .Xr gethostbyaddr 3 ,
85: .Xr hosts 5
86: and
87: .Xr named 8 ) .
88: If the hostname cannot be determined,
89: the dot-notation representation of the host address is used.
90: If the hostname is in the same domain as the server (according to
91: the last two components of the domain name),
92: or if the
93: .Fl a
94: option is given,
95: the addresses for the hostname are requested,
96: verifying that the name and address correspond.
97: If address verification fails, the connection is aborted
98: with the message, ``Host address mismatch.''
99: .It
100: A null terminated user name of at most 16 characters
101: is retrieved on the initial socket. This user name
102: is interpreted as the user identity on the
103: .Em client Ns 's
104: machine.
105: .It
106: A null terminated user name of at most 16 characters
107: is retrieved on the initial socket. This user name
108: is interpreted as a user identity to use on the
109: .Sy server Ns 's
110: machine.
111: .It
112: A null terminated command to be passed to a
113: shell is retrieved on the initial socket. The length of
114: the command is limited by the upper bound on the size of
115: the system's argument list.
116: .It
117: .Nm Rshd
118: then validates the user using
119: .Xr ruserok 3 ,
120: which uses the file
121: .Pa /etc/hosts.equiv
122: and the
123: .Pa .rhosts
124: file found in the user's home directory. The
125: .Fl l
126: option prevents
127: .Xr ruserok 3
128: from doing any validation based on the user's ``.rhosts'' file,
129: unless the user is the superuser.
130: .It
1.1.1.2 ! cgd 131: If the file
! 132: .Pa /etc/nologin
! 133: exists and the user is not the superuser,
! 134: the connection is closed.
! 135: .It
1.1 cgd 136: A null byte is returned on the initial socket
137: and the command line is passed to the normal login
138: shell of the user. The
139: shell inherits the network connections established
140: by
141: .Nm rshd .
1.1.1.2 ! cgd 142: .El
1.1 cgd 143: .Pp
144: Transport-level keepalive messages are enabled unless the
145: .Fl n
146: option is present.
147: The use of keepalive messages allows sessions to be timed out
148: if the client crashes or becomes unreachable.
1.1.1.2 ! cgd 149: .Pp
! 150: The
! 151: .Fl L
! 152: option causes all successful accesses to be logged to
! 153: .Xr syslogd 8
! 154: as
! 155: .Li auth.info
! 156: messages.
1.1 cgd 157: .Sh DIAGNOSTICS
158: Except for the last one listed below,
159: all diagnostic messages
160: are returned on the initial socket,
161: after which any network connections are closed.
162: An error is indicated by a leading byte with a value of
1.1.1.2 ! cgd 163: 1 (0 is returned in step 10 above upon successful completion
1.1 cgd 164: of all the steps prior to the execution of the login shell).
165: .Bl -tag -width indent
166: .It Sy Locuser too long.
167: The name of the user on the client's machine is
168: longer than 16 characters.
169: .It Sy Ruser too long.
170: The name of the user on the remote machine is
171: longer than 16 characters.
172: .It Sy Command too long .
173: The command line passed exceeds the size of the argument
174: list (as configured into the system).
175: .It Sy Login incorrect.
176: No password file entry for the user name existed.
177: .It Sy Remote directory.
178: The
179: .Xr chdir
180: command to the home directory failed.
181: .It Sy Permission denied.
182: The authentication procedure described above failed.
183: .It Sy Can't make pipe.
184: The pipe needed for the
185: .Em stderr ,
186: wasn't created.
187: .It Sy Can't fork; try again.
188: A
189: .Xr fork
190: by the server failed.
191: .It Sy <shellname>: ...
192: The user's login shell could not be started. This message is returned
193: on the connection associated with the
194: .Em stderr ,
195: and is not preceded by a flag byte.
196: .El
197: .Sh SEE ALSO
198: .Xr rsh 1 ,
199: .Xr rcmd 3 ,
200: .Xr ruserok 3
201: .Sh BUGS
202: The authentication procedure used here assumes the integrity
203: of each client machine and the connecting medium. This is
204: insecure, but is useful in an ``open'' environment.
205: .Pp
206: A facility to allow all data exchanges to be encrypted should be
207: present.
208: .Pp
209: A more extensible protocol (such as Telnet) should be used.
CVSweb <webmaster@jp.NetBSD.org>