HP-UX Reference (11i v1 05/09) - 1M System Administration Commands N-Z (vol 4)
r
remshd(1M)
Kerberos remshd(1M)
-K Authorization based on Kerberos V5 must succeed or access will be rejected. (see sis(5) for
details on authorization).
-R Authentication based on privileged port numbers and authorization of the remote user through
equivalent accounts must succeed. For more information on equivalent accounts, see
hosts.equiv(4).
-r Either one of the following must succeed. The order in which the authorization checks are done
is as specified below.
1. Authentication based on privileged port numbers and authorization of the remote user
through equivalent accounts (see hosts.equiv(4)).
2. Authorization based on Kerberos V5.
-k Either one of the following must succeed. The order in which the authorization checks are done
is as specified below.
1. Authorization based on Kerberos V5.
2. Authentication based on privileged port numbers and authorization of the remote user
through equivalent accounts.
Note: The -k option is ignored when used with -K, and the -r option is ignored when used with
-
R
. Also, if no options are specified, the default option is -K.
Operation
When
remshd receives a service request, it responds with the following protocol:
1. The server checks the client’s source port. If the port is not a privileged port, i.e., in the range
512 through 1023, and remshd is operating in a non-secure environment, the connection is ter-
minated. In a secure environment, the action taken depends on the command line options:
-R The source port must be a privileged port otherwise the connection is terminated.
-r If the source port is not a privileged port then authorization based on Kerberos must
succeed or the connection is terminated.
-k The source port must be a privileged port if Kerberos authorization fails.
-K No action is taken.
2. The server reads characters from the connection up to a null (
\0) byte. It interprets the result-
ing string as an ASCII number, base 10.
3. If the number is non-zero, it is interpreted as the port number of a secondary stream to be used
for standard error. A second connection is then created to the specified port on the client’s host.
(The source port of this second connection will also be checked as specified in item 1.) If the first
character sent is a null (
\0), no secondary connection is made, and the standard error from the
command is sent to the primary stream. If the secondary connection has been made, remshd
interprets bytes it receives on that socket as signal numbers and passes them to the command as
signals. See signal(2).
4. The server checks the client’s source address and requests the corresponding host name (see
named(1M), gethostbyaddr(3N), and hosts(4)). If it cannot determine the hostname, it uses the
dot-notation representation of the host address.
5. In a secure environment, remshd performs authentication based on Kerberos V5. See sis(5) for
details.
6. The server reads the client’s host account name from the first connection. This is a null-
terminated sequence not exceeding 16 characters.
7. The server reads the server’s host account name from the first connection. This is a null-
terminated sequence not exceeding 16 characters.
8. The server reads a command to be passed to the shell from the first connection. The command
length is limited by the maximum size of the system’s argument list.
9.
remshd then validates the user as follows (all actions take place on the host remshd runs on):
a. It looks up the user account name (retrieved in step 6) in the password file. If it finds it, it
performs a chdir() to either the user’s home directory, if there is one, or to "/."
HP-UX 11i Version 1: September 2005 − 2 − Hewlett-Packard Company Section 1M−−743