HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

231

232

233

234

235

236

237

238

239

240

remshd(1M) remshd(1M)

NAME

remshd - remote shell server

SYNOPSIS

/usr/lbin/remshd

[-lmns]

In Kerberos V5 Network Authentication Environments

/usr/lbin/remshd

[-clmnKkRr]

DESCRIPTION

The

remshd command is the server for the

rcp, rdist and remsh commands, rcmd() and the

rcmd_af() function in case of IPv6 systems (see rcp(1), rdist(1), remsh(1), rcmd(3N), and rcmd_af(3N)).

remshd allows two kinds of authentication methods:

1. Authentication based on privileged port numbers where the client’s source port must be in the

range 512 through 1023. In this case

remshd assumes it is operating in normal or non-secure

environment.

2. Authentication based on Kerberos V5. In this case

remshd assumes that it is operating in a

Kerberos V5 Network Authentication, i.e., secure environment.

The

inetd daemon invokes remshd if a service request is received at ports indicated by shell

kshell services speciﬁed in /etc/services

(see inetd(1M) and services(4)). Service requests arriv-

ing at the

kshell port assume a secure environment and expect Kerberos authentication to take place.

To start remshd from the inetd daemon in a non-secure environment, the conﬁguration ﬁle

/etc/inetd.conf must contain an entry as follows:

shell stream tcp nowait root /usr/lbin/remshd remshd

In a secure environment, /etc/inetd.conf

must contain an entry:

kshell stream tcp nowait root /usr/lbin/remshd remshd -K

The conﬁguration lines above will start remshd in IPv4 mode. To run remshd in

IPv6 mode, the fol-

lowing line must be present in the

/etc/inetd.conf

ﬁle:

shell stream tcp6 nowait root /usr/lbin/remshd remshd

That is, for IPv6 applications, the protocol

tcp has to be changed to tcp6. See inetd.conf(4) for more

information.

To prevent non-secure access, the entry for

shell should be commented out in /etc/inetd.conf

Any non-Kerberos access will be denied since the entry for the port indicated by

shell has now been

removed or commented out. In such a situation, a generic error message,

rcmd: connect hostname: Connection refused

is displayed. See DIAGNOSTICS for more details.

Note that by commenting out the entry for the port, access by other clients such as

rdist will also be

prevented.

Options

remshd recognizes the following options.

-l Forbid authentication based on the user’s .rhosts ﬁle unless the user is a superuser.

-n Disable transport-level keep-alive messages. Otherwise, the messages are enabled. The keep-

alive messages allow sessions to be timed out if the client crashes or becomes unreachable.

-m With this option enabled, remshd returns immediately after its child process gets killed; it does

not wait for all its sub child processes to die. This in turn makes remsh not wait even when the

sub child processes are running remotely. As a result, remsh will not appear hung. It is recom-

mended that users do not use the -m option if they want remshd to wait until the completion of

all the sub child processes. Otherwise, the user may get an unexpected result.

This option is applicable only to remsh with a secondary socket connection.

Note that even with the -m option enabled, remshd will exit if command standard error is

closed.

238 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007