HP-UX Reference (11i v1 00/12) - 1M System Administration Commands N-Z (vol 4)
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man1m/naaagt.1m
________________________________________________________________
___ ___
r
remshd(1M) Kerberos remshd(1M)
NAME
remshd - remote shell server
SYNOPSIS
/usr/lbin/remshd [-ln]
In Kerberos V5 Network Authentication environments:
/usr/lbin/remshd [-clnKkRr]
DESCRIPTION
The remshd command is the server for the rcp, rdist and remsh commands, and the rcmd() func-
tion (see rcp(1), rdist(1), remsh(1), and rcmd(3N)).
remshd allows two kinds of authentication methods:
1. Authentication based on privileged port numbers where the client’s source port must be in the
range 512 through 1023. In this case remshd assumes it is operating in normal or non-secure
environment.
2. Authentication based on Kerberos V5. In this case
remshd assumes it is operating in a Ker-
beros V5 Network Authentication, i.e., secure environment.
The inetd daemon invokes
remshd if a service request is received at ports indicated by shell or
kshell services specified in /etc/services
(see inetd(1M) and services(4)). Service requests arriv-
ing at the
kshell port assume a secure environment and expect Kerberos authentication to take place.
To start remshd from the inetd daemon in a non-secure environment, the configuration file
/etc/inetd.conf must contain an entry as follows:
shell stream tcp nowait root /usr/lbin/remshd remshd
In a secure environment, /etc/inetd.conf
must contain an entry:
kshell stream tcp nowait root /usr/lbin/remshd remshd -K
See inetd.conf(4) for more information.
To prevent non-secure access, the entry for shell should be commented out in /etc/inetd.conf
.
Any non-Kerberos access will be denied since the entry for the port indicated by
shell has now been
removed or commented out. In a such a situation, a generic error message,
rcmd: connect <hostname> : Connection refused
is displayed. See DIAGNOSTICS for more details. Note: by commenting out the entry for the port, access
by other clients such as
rdist will also be prevented.
Options
remshd recognizes the following options.
-c Ignore checksum verification. This option is used to achieve interoperability between clients and
servers using different checksum calculation methods. For example, the checksum calculation in
a application developed with Kerberos V5 Beta 4 API is different from the calculation in a Ker-
beros V5-1.0 application.
-l Disallow authentication based on the user’s
.rhosts file unless the user is a superuser.
-n Disable transport-level keep-alive messages. Otherwise, the messages are enabled. The keep-
alive messages allow sessions to be timed out if the client crashes or becomes unreachable.
In a secure environment, remshd will recognize the following additional options:
-K Authorization based on Kerberos V5 must succeed or access will be rejected. (see sis(5) for
details on authorization).
-R Authentication based on privileged port numbers and authorization of the remote user through
equivalent accounts must succeed. For more information on equivalent accounts, see
hosts.equiv(4).
-r Either one of the following must succeed. The order in which the authorization checks are done
is as specified below.
1. Authentication based on privileged port numbers and authorization of the remote user
through equivalent accounts (see hosts.equiv(4)).
Section 1M−−698 − 1 − HP-UX Release 11i: December 2000
___
___