Annotation of src/libexec/rshd/rshd.8, Revision 1.13
1.13 ! wiz 1: .\" $NetBSD: rshd.8,v 1.12 2002/02/08 01:30:08 ross Exp $
1.5 mrg 2: .\"
1.4 cgd 3: .\" Copyright (c) 1983, 1989, 1991, 1993
4: .\" The Regents of the University of California. All rights reserved.
1.1 cgd 5: .\"
6: .\" Redistribution and use in source and binary forms, with or without
7: .\" modification, are permitted provided that the following conditions
8: .\" are met:
9: .\" 1. Redistributions of source code must retain the above copyright
10: .\" notice, this list of conditions and the following disclaimer.
11: .\" 2. Redistributions in binary form must reproduce the above copyright
12: .\" notice, this list of conditions and the following disclaimer in the
13: .\" documentation and/or other materials provided with the distribution.
14: .\" 3. All advertising materials mentioning features or use of this software
15: .\" must display the following acknowledgement:
16: .\" This product includes software developed by the University of
17: .\" California, Berkeley and its contributors.
18: .\" 4. Neither the name of the University nor the names of its contributors
19: .\" may be used to endorse or promote products derived from this software
20: .\" without specific prior written permission.
21: .\"
22: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32: .\" SUCH DAMAGE.
33: .\"
1.4 cgd 34: .\" from: @(#)rshd.8 8.1 (Berkeley) 6/4/93
1.1 cgd 35: .\"
1.9 mjl 36: .Dd January 22, 2000
1.1 cgd 37: .Dt RSHD 8
1.8 garbled 38: .Os
1.1 cgd 39: .Sh NAME
40: .Nm rshd
41: .Nd remote shell server
42: .Sh SYNOPSIS
1.6 enami 43: .Nm
1.3 cgd 44: .Op Fl alnL
1.1 cgd 45: .Sh DESCRIPTION
46: The
1.6 enami 47: .Nm
1.13 ! wiz 48: server is the server for the
1.1 cgd 49: .Xr rcmd 3
50: routine and, consequently, for the
51: .Xr rsh 1
1.13 ! wiz 52: program.
! 53: The server provides remote execution facilities
1.1 cgd 54: with authentication based on privileged port numbers from trusted hosts.
55: .Pp
56: The
1.6 enami 57: .Nm
1.13 ! wiz 58: server listens for service requests at the port indicated in
1.1 cgd 59: the ``cmd'' service specification; see
60: .Xr services 5 .
61: When a service request is received the following protocol
62: is initiated:
63: .Bl -enum
64: .It
65: The server checks the client's source port.
66: If the port is not in the range 512-1023, the server
67: aborts the connection.
68: .It
69: The server reads characters from the socket up
1.13 ! wiz 70: to a null (`\e0') byte.
! 71: The resultant string is interpreted as an
1.1 cgd 72: .Tn ASCII
73: number, base 10.
74: .It
75: If the number received in step 2 is non-zero,
76: it is interpreted as the port number of a secondary
1.11 wiz 77: stream to be used for the
1.1 cgd 78: .Em stderr .
79: A second connection is then created to the specified
1.13 ! wiz 80: port on the client's machine.
! 81: The source port of this
1.1 cgd 82: second connection is also in the range 512-1023.
83: .It
84: The server checks the client's source address
85: and requests the corresponding host name (see
86: .Xr gethostbyaddr 3 ,
87: .Xr hosts 5
88: and
89: .Xr named 8 ) .
90: If the hostname cannot be determined,
91: the dot-notation representation of the host address is used.
92: If the hostname is in the same domain as the server (according to
1.13 ! wiz 93: the last two components of the domain name), or if the
1.1 cgd 94: .Fl a
95: option is given,
96: the addresses for the hostname are requested,
97: verifying that the name and address correspond.
98: If address verification fails, the connection is aborted
99: with the message, ``Host address mismatch.''
100: .It
101: A null terminated user name of at most 16 characters
1.13 ! wiz 102: is retrieved on the initial socket.
! 103: This user name is interpreted as the user identity on the
1.1 cgd 104: .Em client Ns 's
105: machine.
106: .It
107: A null terminated user name of at most 16 characters
1.13 ! wiz 108: is retrieved on the initial socket.
! 109: This user name is interpreted as a user identity to use on the
1.1 cgd 110: .Sy server Ns 's
111: machine.
112: .It
113: A null terminated command to be passed to a
1.13 ! wiz 114: shell is retrieved on the initial socket.
! 115: The length of the command is limited by the upper
! 116: bound on the size of the system's argument list.
1.1 cgd 117: .It
1.6 enami 118: .Nm
1.1 cgd 119: then validates the user using
120: .Xr ruserok 3 ,
121: which uses the file
122: .Pa /etc/hosts.equiv
123: and the
124: .Pa .rhosts
1.13 ! wiz 125: file found in the user's home directory.
! 126: The
1.1 cgd 127: .Fl l
128: option prevents
129: .Xr ruserok 3
130: from doing any validation based on the user's ``.rhosts'' file,
131: unless the user is the superuser.
132: .It
1.11 wiz 133: If the file
1.4 cgd 134: .Pa /etc/nologin
135: exists and the user is not the superuser,
136: the connection is closed.
137: .It
1.1 cgd 138: A null byte is returned on the initial socket
139: and the command line is passed to the normal login
1.13 ! wiz 140: shell of the user.
! 141: The shell inherits the network connections established by
1.6 enami 142: .Nm "" .
1.3 cgd 143: .El
1.1 cgd 144: .Pp
145: Transport-level keepalive messages are enabled unless the
146: .Fl n
147: option is present.
148: The use of keepalive messages allows sessions to be timed out
149: if the client crashes or becomes unreachable.
1.3 cgd 150: .Pp
1.4 cgd 151: The
1.3 cgd 152: .Fl L
153: option causes all successful accesses to be logged to
154: .Xr syslogd 8
155: as
156: .Li auth.info
1.4 cgd 157: messages.
1.1 cgd 158: .Sh DIAGNOSTICS
159: Except for the last one listed below,
160: all diagnostic messages
161: are returned on the initial socket,
162: after which any network connections are closed.
163: An error is indicated by a leading byte with a value of
1.4 cgd 164: 1 (0 is returned in step 10 above upon successful completion
1.1 cgd 165: of all the steps prior to the execution of the login shell).
166: .Bl -tag -width indent
167: .It Sy Locuser too long.
168: The name of the user on the client's machine is
169: longer than 16 characters.
170: .It Sy Ruser too long.
171: The name of the user on the remote machine is
172: longer than 16 characters.
173: .It Sy Command too long .
174: The command line passed exceeds the size of the argument
175: list (as configured into the system).
176: .It Sy Login incorrect.
177: No password file entry for the user name existed.
178: .It Sy Remote directory.
1.11 wiz 179: The
1.7 fair 180: .Xr chdir 2
181: to the home directory failed.
1.1 cgd 182: .It Sy Permission denied.
183: The authentication procedure described above failed.
184: .It Sy Can't make pipe.
1.11 wiz 185: The pipe needed for the
1.1 cgd 186: .Em stderr ,
187: wasn't created.
1.11 wiz 188: .It Sy Can't fork; try again.
1.1 cgd 189: A
1.7 fair 190: .Xr fork 2
1.1 cgd 191: by the server failed.
1.12 ross 192: .It Sy \*[Lt]shellname\*[Gt]: ...
1.13 ! wiz 193: The user's login shell could not be started.
! 194: This message is returned on the connection associated with the
1.1 cgd 195: .Em stderr ,
196: and is not preceded by a flag byte.
197: .El
198: .Sh SEE ALSO
199: .Xr rsh 1 ,
200: .Xr rcmd 3 ,
1.9 mjl 201: .Xr ruserok 3 ,
202: .Xr login.conf 5
1.1 cgd 203: .Sh BUGS
204: The authentication procedure used here assumes the integrity
1.13 ! wiz 205: of each client machine and the connecting medium.
! 206: This is insecure, but is useful in an ``open'' environment.
1.1 cgd 207: .Pp
208: A facility to allow all data exchanges to be encrypted should be
209: present.
210: .Pp
211: A more extensible protocol (such as Telnet) should be used.
1.10 itojun 212: .Pp
213: .Nm
214: intentionally rejects accesses from IPv4 mapped address on top of
215: .Dv AF_INET6
1.13 ! wiz 216: socket, since IPv4 mapped address complicates
! 217: host-address based authentication.
1.10 itojun 218: If you would like to accept connections from IPv4 peers, you will need to run
219: .Nm
220: on top of
221: .Dv AF_INET
222: socket, not
223: .Dv AF_INET6
224: socket.
CVSweb <webmaster@jp.NetBSD.org>