Manualshelf

HP-UX Reference (11i v1 00/12) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
191192193194195196197198199200
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man1m/naaagt.1m
________________________________________________________________
___ ___
r
remshd(1M) Kerberos remshd(1M)
2. Authorization based on Kerberos V5.
-k Either one of the following must succeed. The order in which the authorization checks are done
is as specified below.
1. Authorization based on Kerberos V5.
2. Authentication based on privileged port numbers and authorization of the remote user
through equivalent accounts.
Note: The -k option is ignored when used with -K, and the -r option is ignored when used with -
R
. Also, if no options are specified, the default option is -K.
Operation
When remshd receives a service request, it responds with the following protocol:
1. The server checks the client’s source port. If the port is not a privileged port, i.e., in the range
512 through 1023, and remshd is operating in a non-secure environment, the connection is ter-
minated. In a secure environment, the action taken depends on the command line options:
-R The source port must be a privileged port otherwise the connection is terminated.
-r If the source port is not a privileged port then authorization based on Kerberos must
succeed or the connection is terminated.
-k The source port must be a privileged port if Kerberos authorization fails.
-K No action is taken.
2. The server reads characters from the connection up to a null (\0) byte. It interprets the result-
ing string as an ASCII number, base 10.
3. If the number is non-zero, it is interpreted as the port number of a secondary stream to be used
for standard error. A second connection is then created to the specified port on the client’s host.
(The source port of this second connection will also be checked as specified in item 1.) If the first
character sent is a null (
\0), no secondary connection is made, and the standard error from the
command is sent to the primary stream. If the secondary connection has been made, remshd
interprets bytes it receives on that socket as signal numbers and passes them to the command as
signals. See signal(2).
4. The server checks the client’s source address and requests the corresponding host name (see
named(1M), gethostbyaddr(3N), and hosts(4)). If it cannot determine the hostname, it uses the
dot-notation representation of the host address.
5. In a secure environment,
remshd performs authentication based on Kerberos V5. See sis(5) for
details.
6. The server reads the client’s host account name from the rst connection. This is a null-
terminated sequence not exceeding 16 characters.
7. The server reads the server’s host account name from the first connection. This is a null-
terminated sequence not exceeding 16 characters.
8. The server reads a command to be passed to the shell from the first connection. The command
length is limited by the maximum size of the system’s argument list.
9.
remshd then validates the user as follows (all actions take place on the host remshd runs on):
a. It looks up the user account name (retrieved in step 6) in the password file. If it finds it, it
performs a
chdir() to either the user’s home directory, if there is one, or to "/."
b. If either the lookup or chdir() fails, the connection is terminated (see chdir(2)).
c. The connection is also terminated if
the account accessed is administratively locked. The account can be locked by entering
a character in the password field that is not part of the set of digits (such as *). The
characters used to represent "digits" are . for 0, / for 1, 0 through 9 for 2 through 11, A
through Z for 12 through 37, and a through z for 38 through 63. (See also passwd(4)).
in a non-secure environment, the account accessed is protected by a password and,
either the password expired or the account on the client’s host is not equivalent to the
account accessed.
HP-UX Release 11i: December 2000 2 Section 1M699
___
___