HP-UX Reference (11i v1 05/09) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

221

222

223

224

225

226

227

228

229

230

remshd(1M) remshd(1M)

limitation with multi-homed hosts.

-t This option disables remshd from logging client connections to the

/var/adm/wtmp

ﬁle

when the client does not use a secondary stream. Examples of clients which do not use a secon-

dary stream include HP-UX’s

rcp and rdist.

In a Kerberized environment, this option is useful only when authentication occurs based on

privileged port numbers and authorization of the remote user occurs using equivalent accounts.

Such an authentication and authorization occurs if an option such as

-R is used in the

/etc/inetd.conf

ﬁle. The -t option is ineffective in a default Kerberos setup where only

the

-K option is used in the /etc/inetd.conf

ﬁle.

In a secure environment,

remshd will recognize the following additional options:

Note: These options are not supported in IPv6 environment.

-c Ignore checksum veriﬁcation. This option is used to achieve interoperability between clients and

servers using different checksum calculation methods. For example, the checksum calculation in

a application developed with Kerberos V5 Beta 4 API is different from the calculation in a Ker-

beros V5-1.0 application.

-K Authorization based on Kerberos V5 must succeed or access will be rejected (see sis(5) for details

on authorization).

-R Authentication based on privileged port numbers and authorization of the remote user through

equivalent accounts must succeed. For more information on equivalent accounts, see

hosts.equiv(4).

-r Either one of the following must succeed. The order in which the authorization checks are done

is as speciﬁed below.

1. Authentication based on privileged port numbers and authorization of the remote user

through equivalent accounts (see hosts.equiv(4)).

2. Authorization based on Kerberos V5.

-k Either one of the following must succeed. The order in which the authorization checks are done

is as speciﬁed below.

1. Authorization based on Kerberos V5.

2. Authentication based on privileged port numbers and authorization of the remote user

through equivalent accounts.

Note: The -k option is ignored when used with -K, and the -r option is ignored when used with

-R. The default option is -K.

Operation

When remshd receives a service request, it responds with the following protocol:

1. The server checks the client’s source port. If the port is not a privileged port, i.e., in the range

512 through 1023, and remshd is operating in a non-secure environment, the connection is ter-

minated. In a secure environment, the action taken depends on the command line options:

-R The source port must be a privileged port otherwise the connection is terminated.

-r If the source port is not a privileged port then authorization based on Kerberos must

succeed or the connection is terminated.

-k The source port must be a privileged port if Kerberos authorization fails.

-K No action is taken.

2. The server reads characters from the connection up to a null (\0) byte. It interprets the result-

ing string as an ASCII number, base 10.

3. If the number is non-zero, it is interpreted as the port number of a secondary stream to be used

for standard error. A second connection is then created to the speciﬁed port on the client’s host.

(The source port of this second connection will also be checked as speciﬁed in item 1.) If the ﬁrst

character sent is a null (\0), no secondary connection is made, and the standard error from the

command is sent to the primary stream. If the secondary connection has been made, remshd

interprets bytes it receives on that socket as signal numbers and passes them to the command as

signals. See signal(2).

Section 1M−−738 Hewlett-Packard Company − 2 − HP-UX 11i Version 1: September 2005