HP-UX Reference (11i v2 03/08) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

191

192

193

194

195

196

197

198

199

200

remshd(1M) remshd(1M)

NAME

remshd - remote shell server

SYNOPSIS

/usr/lbin/remshd

[-lmns]

In Kerberos V5 Network Authentication Environments

/usr/lbin/remshd

[-clmnKkRr]

DESCRIPTION

The

remshd command is the server for the

rcp, rdist and remsh commands, rcmd() and the

rcmd_af() function in case of IPv6 systems (see rcp(1), rdist(1), remsh(1), rcmd(3N)), and

rcmd_af(3N).

remshd allows two kinds of authentication methods:

1. Authentication based on privileged port numbers where the client’s source port must be in the

range 512 through 1023. In this case

remshd

assumes it is operating in normal or non-

secure environment.

2. Authentication based on Kerberos V5. In this case

remshd

assumes that it is operating in a

Kerberos V5 Network Authentication, i.e., secure environment.

The inetd daemon invokes

remshd if a service request is received at ports indicated by shell or

kshell services speciﬁed in /etc/services

(see inetd(1M) and services(4)). Service requests arriv-

ing at the

kshell port assume a secure environment and expect Kerberos authentication to take place.

To start

remshd from the inetd daemon in a non-secure environment, the conﬁguration ﬁle

/etc/inetd.conf must contain an entry as follows:

shell stream tcp nowait root /usr/lbin/remshd remshd

In a secure environment, /etc/inetd.conf

must contain an entry:

kshell stream tcp nowait root /usr/lbin/remshd remshd -K

The above conﬁguration line will start remshd in IPv4 mode. To run remshd

in IPv6 mode, the fol-

lowing line must be present in the

/etc/inetd.conf

ﬁle:

shell stream tcp6 nowait root /usr/lbin/remshd remshd

Note: For IPv6 applications, the protocol

tcp has to be changed to tcp6. See the inetd.conf (4)

manpage for more information.

To prevent non-secure access, the entry for

shell should be commented out in /etc/inetd.conf

Any non-Kerberos access will be denied since the entry for the port indicated by

shell has now been

removed or commented out. In such a situation, a generic error message,

rcmd: connect hostname : Connection refused

is displayed. See DIAGNOSTICS for more details.

Note: By commenting out the entry for the port, access by other clients such as

rdist will also be

prevented.

Options

remshd recognizes the following options.

-l This option can be used to forbid authentication based on the user’s .rhosts ﬁle unless the

user is a superuser.

-n This option can be used to disable transport-level keep-alive messages. Otherwise, the mes-

sages are enabled. The keep-alive messages allow sessions to be timed out if the client crashes

or becomes unreachable.

-m With this option enabled, remshd returns immediately after its child process gets killed; it

does not wait for all its sub child processes to die. This in turn makes remsh not to wait even

when the sub child processes are running remotely. As a result, remsh will not appear hung.

It is recommended that users do not use -m option, if they want remshd to wait until the com-

pletion of all the sub child processes. Otherwise, the user may not get an expected result. This

option is applicable only to remsh with a secondary socket connection.

Section 1M−−662 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: August 2003