remshd.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

remshd(1M) remshd(1M)

NAME

remshd - remote shell server

SYNOPSIS

/usr/lbin/remshd

[-lmns]

In Kerberos V5 Network Authentication Environments

/usr/lbin/remshd

[-clmnKkRr]

DESCRIPTION

The

remshd command is the server for the

rcp, rdist and remsh commands, rcmd() and the

rcmd_af() function in case of IPv6 systems (see rcp (1), rdist (1), remsh(1), rcmd (3N), and

rcmd_af (3N)).

remshd allows two kinds of authentication methods:

1. Authentication based on privileged port numbers where the client’s source port must be in the

range 512 through 1023. In this case

remshd

assumes it is operating in normal or non-

secure environment.

2. Authentication based on Kerberos V5. In this case

remshd

assumes that it is operating in a

Kerberos V5 Network Authentication, i.e., secure environment.

The

inetd daemon invokes remshd if a service request is received at ports indicated by shell or

kshell services speciﬁed in /etc/services

(see inetd(1M) and services (4)). Service requests arriv-

ing at the

kshell port assume a secure environment and expect Kerberos authentication to take place.

To start

remshd from the inetd daemon in a non-secure environment, the conﬁguration ﬁle

/etc/inetd.conf must contain an entry as follows:

shell stream tcp nowait root /usr/lbin/remshd remshd

In a secure environment, /etc/inetd.conf

must contain an entry:

kshell stream tcp nowait root /usr/lbin/remshd remshd -K

The conﬁguration lines above will start remshd in IPv4 mode. To run remshd

in IPv6 mode, the fol-

lowing line must be present in the

/etc/inetd.conf

ﬁle:

shell stream tcp6 nowait root /usr/lbin/remshd remshd

That is, for IPv6 applications, the protocol

tcp has to be changed to tcp6. See inetd.conf (4) for more

information.

To prevent non-secure access, the entry for

shell should be commented out in /etc/inetd.conf

Any non-Kerberos access will be denied since the entry for the port indicated by

shell has now been

removed or commented out. In such a situation, a generic error message,

rcmd: connect hostname : Connection refused

is displayed. See DIAGNOSTICS for more details.

Note that by commenting out the entry for the port, access by other clients such as

rdist will also be

prevented.

Options

remshd recognizes the following options.

-l Forbid authentication based on the user’s .rhosts ﬁle unless the user is a superuser.

-n Disable transport-level keep-alive messages. Otherwise, the messages are enabled. The

keep-alive messages allow sessions to be timed out if the client crashes or becomes unreach-

able.

-m With this option enabled, remshd returns immediately after its child process gets killed; it

does not wait for all its sub child processes to die. This in turn makes remsh not wait even

when the sub child processes are running remotely. As a result, remsh will not appear hung.

It is recommended that users do not use the -m option if they want remshd to wait until the

completion of all the sub child processes. Otherwise, the user may get an unexpected result.

This option is applicable only to

remsh with a secondary socket connection.

Note that even with the

-m option enabled, remshd will exit if command standard error is

closed.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (6 pages)

PAGE 1
remshd(1M) remshd(1M) NAME remshd - remote shell server SYNOPSIS /usr/lbin/remshd [-lmns] In Kerberos V5 Network Authentication Environments /usr/lbin/remshd [-clmnKkRr] DESCRIPTION The remshd command is the server for the rcp, rdist and remsh commands, rcmd() and the rcmd_af() function in case of IPv6 systems (see rcp (1), rdist (1), remsh (1), rcmd(3N), and rcmd_af (3N)). remshd allows two kinds of authentication methods: 1.
PAGE 2
remshd(1M) -s remshd(1M) This option is used in multi-homed NIS systems. It disables remshd from doing a reverse lookup of the client’s IP address; see gethostbyname(3N). It can be used to circumvent an NIS limitation with multi-homed hosts. In a secure environment, remshd will recognize the following additional options: -c Ignore checksum verification. This option is used to achieve interoperability between clients and servers using different checksum calculation methods.
PAGE 3
remshd(1M) remshd(1M) 6. The server reads the client’s host account name from the first connection. This is a nullterminated sequence not exceeding 256 characters. 7. The server reads the server’s host account name from the first connection. This is a nullterminated sequence not exceeding 256 characters. 8. The server reads a command to be passed to the shell from the first connection. The command length is limited by the maximum size of the system’s argument list. 9.
PAGE 4
remshd(1M) remshd(1M) The first socket connection does not use a reserved port or the client’s host address is not an Internet address. Can’t get stderr port Unable to complete the connection of the secondary socket used for error communication. Second port not reserved The secondary socket connection does not use a reserved port. Locuser too long The name of the user account on the client’s host is longer than 256 characters.
PAGE 5
remshd(1M) remshd(1M) FILES $HOME/.rhosts /etc/hosts.equiv User’s private equivalence list List of equivalent hosts SEE ALSO rcp(1), rdist(1), remsh(1), inetd(1M), named(1M), gethostbyname(3N), rcmd(3N), rcmd_af(3N), hosts(4), passwd(4), security(4), services(4), sis(5). chdir(2), signal(2), gethostbyaddr(3N), hosts.equiv(4), inetd.conf(4), inetd.
PAGE 6
(Notes) A (Notes) rA 6 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010