Annotation of src/libexec/rshd/rshd.8, Revision 1.11
1.11 ! wiz 1: .\" $NetBSD: rshd.8,v 1.10 2000/05/30 05:21:49 itojun Exp $
1.5 mrg 2: .\"
1.4 cgd 3: .\" Copyright (c) 1983, 1989, 1991, 1993
4: .\" The Regents of the University of California. All rights reserved.
1.1 cgd 5: .\"
6: .\" Redistribution and use in source and binary forms, with or without
7: .\" modification, are permitted provided that the following conditions
8: .\" are met:
9: .\" 1. Redistributions of source code must retain the above copyright
10: .\" notice, this list of conditions and the following disclaimer.
11: .\" 2. Redistributions in binary form must reproduce the above copyright
12: .\" notice, this list of conditions and the following disclaimer in the
13: .\" documentation and/or other materials provided with the distribution.
14: .\" 3. All advertising materials mentioning features or use of this software
15: .\" must display the following acknowledgement:
16: .\" This product includes software developed by the University of
17: .\" California, Berkeley and its contributors.
18: .\" 4. Neither the name of the University nor the names of its contributors
19: .\" may be used to endorse or promote products derived from this software
20: .\" without specific prior written permission.
21: .\"
22: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32: .\" SUCH DAMAGE.
33: .\"
1.4 cgd 34: .\" from: @(#)rshd.8 8.1 (Berkeley) 6/4/93
1.1 cgd 35: .\"
1.9 mjl 36: .Dd January 22, 2000
1.1 cgd 37: .Dt RSHD 8
1.8 garbled 38: .Os
1.1 cgd 39: .Sh NAME
40: .Nm rshd
41: .Nd remote shell server
42: .Sh SYNOPSIS
1.6 enami 43: .Nm
1.3 cgd 44: .Op Fl alnL
1.1 cgd 45: .Sh DESCRIPTION
46: The
1.6 enami 47: .Nm
1.1 cgd 48: server
1.11 ! wiz 49: is the server for the
1.1 cgd 50: .Xr rcmd 3
51: routine and, consequently, for the
52: .Xr rsh 1
53: program. The server provides remote execution facilities
54: with authentication based on privileged port numbers from trusted hosts.
55: .Pp
56: The
1.6 enami 57: .Nm
1.1 cgd 58: server
59: listens for service requests at the port indicated in
60: the ``cmd'' service specification; see
61: .Xr services 5 .
62: When a service request is received the following protocol
63: is initiated:
64: .Bl -enum
65: .It
66: The server checks the client's source port.
67: If the port is not in the range 512-1023, the server
68: aborts the connection.
69: .It
70: The server reads characters from the socket up
71: to a null (`\e0') byte. The resultant string is
72: interpreted as an
73: .Tn ASCII
74: number, base 10.
75: .It
76: If the number received in step 2 is non-zero,
77: it is interpreted as the port number of a secondary
1.11 ! wiz 78: stream to be used for the
1.1 cgd 79: .Em stderr .
80: A second connection is then created to the specified
81: port on the client's machine. The source port of this
82: second connection is also in the range 512-1023.
83: .It
84: The server checks the client's source address
85: and requests the corresponding host name (see
86: .Xr gethostbyaddr 3 ,
87: .Xr hosts 5
88: and
89: .Xr named 8 ) .
90: If the hostname cannot be determined,
91: the dot-notation representation of the host address is used.
92: If the hostname is in the same domain as the server (according to
93: the last two components of the domain name),
94: or if the
95: .Fl a
96: option is given,
97: the addresses for the hostname are requested,
98: verifying that the name and address correspond.
99: If address verification fails, the connection is aborted
100: with the message, ``Host address mismatch.''
101: .It
102: A null terminated user name of at most 16 characters
103: is retrieved on the initial socket. This user name
104: is interpreted as the user identity on the
105: .Em client Ns 's
106: machine.
107: .It
108: A null terminated user name of at most 16 characters
109: is retrieved on the initial socket. This user name
110: is interpreted as a user identity to use on the
111: .Sy server Ns 's
112: machine.
113: .It
114: A null terminated command to be passed to a
115: shell is retrieved on the initial socket. The length of
116: the command is limited by the upper bound on the size of
1.11 ! wiz 117: the system's argument list.
1.1 cgd 118: .It
1.6 enami 119: .Nm
1.1 cgd 120: then validates the user using
121: .Xr ruserok 3 ,
122: which uses the file
123: .Pa /etc/hosts.equiv
124: and the
125: .Pa .rhosts
126: file found in the user's home directory. The
127: .Fl l
128: option prevents
129: .Xr ruserok 3
130: from doing any validation based on the user's ``.rhosts'' file,
131: unless the user is the superuser.
132: .It
1.11 ! wiz 133: If the file
1.4 cgd 134: .Pa /etc/nologin
135: exists and the user is not the superuser,
136: the connection is closed.
137: .It
1.1 cgd 138: A null byte is returned on the initial socket
139: and the command line is passed to the normal login
140: shell of the user. The
141: shell inherits the network connections established
142: by
1.6 enami 143: .Nm "" .
1.3 cgd 144: .El
1.1 cgd 145: .Pp
146: Transport-level keepalive messages are enabled unless the
147: .Fl n
148: option is present.
149: The use of keepalive messages allows sessions to be timed out
150: if the client crashes or becomes unreachable.
1.3 cgd 151: .Pp
1.4 cgd 152: The
1.3 cgd 153: .Fl L
154: option causes all successful accesses to be logged to
155: .Xr syslogd 8
156: as
157: .Li auth.info
1.4 cgd 158: messages.
1.1 cgd 159: .Sh DIAGNOSTICS
160: Except for the last one listed below,
161: all diagnostic messages
162: are returned on the initial socket,
163: after which any network connections are closed.
164: An error is indicated by a leading byte with a value of
1.4 cgd 165: 1 (0 is returned in step 10 above upon successful completion
1.1 cgd 166: of all the steps prior to the execution of the login shell).
167: .Bl -tag -width indent
168: .It Sy Locuser too long.
169: The name of the user on the client's machine is
170: longer than 16 characters.
171: .It Sy Ruser too long.
172: The name of the user on the remote machine is
173: longer than 16 characters.
174: .It Sy Command too long .
175: The command line passed exceeds the size of the argument
176: list (as configured into the system).
177: .It Sy Login incorrect.
178: No password file entry for the user name existed.
179: .It Sy Remote directory.
1.11 ! wiz 180: The
1.7 fair 181: .Xr chdir 2
182: to the home directory failed.
1.1 cgd 183: .It Sy Permission denied.
184: The authentication procedure described above failed.
185: .It Sy Can't make pipe.
1.11 ! wiz 186: The pipe needed for the
1.1 cgd 187: .Em stderr ,
188: wasn't created.
1.11 ! wiz 189: .It Sy Can't fork; try again.
1.1 cgd 190: A
1.7 fair 191: .Xr fork 2
1.1 cgd 192: by the server failed.
193: .It Sy <shellname>: ...
194: The user's login shell could not be started. This message is returned
195: on the connection associated with the
196: .Em stderr ,
197: and is not preceded by a flag byte.
198: .El
199: .Sh SEE ALSO
200: .Xr rsh 1 ,
201: .Xr rcmd 3 ,
1.9 mjl 202: .Xr ruserok 3 ,
203: .Xr login.conf 5
1.1 cgd 204: .Sh BUGS
205: The authentication procedure used here assumes the integrity
206: of each client machine and the connecting medium. This is
207: insecure, but is useful in an ``open'' environment.
208: .Pp
209: A facility to allow all data exchanges to be encrypted should be
210: present.
211: .Pp
212: A more extensible protocol (such as Telnet) should be used.
1.10 itojun 213: .Pp
214: .Nm
215: intentionally rejects accesses from IPv4 mapped address on top of
216: .Dv AF_INET6
217: socket, since IPv4 mapped address complicates host-address based
218: authentication.
219: If you would like to accept connections from IPv4 peers, you will need to run
220: .Nm
221: on top of
222: .Dv AF_INET
223: socket, not
224: .Dv AF_INET6
225: socket.
CVSweb <webmaster@jp.NetBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to rshd.8 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / libexec / rshd