HP-UX Reference (11i v1 05/09) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

221

222

223

224

225

226

227

228

229

230

remshd(1M)

Kerberos remshd(1M)

NAME

remshd - remote shell server

SYNOPSIS

/usr/lbin/remshd

[-lmns]

In Kerberos V5 Network Authentication environments:

/usr/lbin/remshd

[-clmnKkRr]

DESCRIPTION

The

remshd command is the server for the

rcp, rdist and remsh commands, and the rcmd() func-

tion (see rcp(1), rdist(1), remsh(1), and rcmd(3N)).

remshd allows two kinds of authentication methods:

1. Authentication based on privileged port numbers where the client’s source port must be in the

range 512 through 1023. In this case

remshd assumes it is operating in normal or non-secure

environment.

2. Authentication based on Kerberos V5. In this case

remshd assumes it is operating in a Ker-

beros V5 Network Authentication, i.e., secure environment.

The inetd daemon invokes

remshd if a service request is received at ports indicated by shell or

kshell services speciﬁed in /etc/services

(see inetd(1M) and services(4)). Service requests arriv-

ing at the

kshell port assume a secure environment and expect Kerberos authentication to take place.

To start remshd from the inetd daemon in a non-secure environment, the conﬁguration ﬁle

/etc/inetd.conf must contain an entry as follows:

shell stream tcp nowait root /usr/lbin/remshd remshd

In a secure environment, /etc/inetd.conf

must contain an entry:

kshell stream tcp nowait root /usr/lbin/remshd remshd -K

See inetd.conf(4) for more information.

To prevent non-secure access, the entry for shell should be commented out in /etc/inetd.conf

Any non-Kerberos access will be denied since the entry for the port indicated by

shell has now been

removed or commented out. In a such a situation, a generic error message,

rcmd: connect <hostname> : Connection refused

is displayed. See DIAGNOSTICS for more details. Note: by commenting out the entry for the port, access

by other clients such as

rdist will also be prevented.

Options

remshd recognizes the following options.

-l Disallow authentication based on the user’s

.rhosts ﬁle unless the user is a superuser.

-m With this option enabled, remshd returns immediately after its child process gets killed; it does

not wait for all of its sub child processes to die. This in turn makes remsh

not to wait even

when the sub child processes are running remotely. As a result,

remsh will not appear hung. It

is recommended that users do not use -m option, if they want remshd to wait until the comple-

tion of all the sub child processes. Otherwise, the user may not get an expected result. This

option is applicable only to remsh with a secondary socket connection.

-n Disable transport-level keep-alive messages. Otherwise, the messages are enabled. The keep-

alive messages allow sessions to be timed out if the client crashes or becomes unreachable.

-s This option is used in multi-homed NIS systems. It disables remshd from doing a reverse

lookup of the client’s IP address; see gethostbyname(3N). It can be used to circumvent an NIS

limitation with multi-homed hosts.

In a secure environment, remshd will recognize the following additional options:

-c Ignore checksum veriﬁcation. This option is used to achieve interoperability between clients and

servers using different checksum calculation methods. For example, the checksum calculation in

a application developed with Kerberos V5 Beta 4 API is different from the calculation in a Ker-

beros V5-1.0 application.

Section 1M−−742 Hewlett-Packard Company − 1 − HP-UX 11i Version 1: September 2005