HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)
r
remshd(1M) remshd(1M)
-s This option is used in multi-homed NIS systems. It disables
remshd from doing a reverse
lookup of the client’s IP address; see gethostbyname(3N). It can be used to circumvent an NIS
limitation with multi-homed hosts.
In a secure environment,
remshd will recognize the following additional options:
-c Ignore checksum verification. This option is used to achieve interoperability between clients and
servers using different checksum calculation methods. For example, the checksum calculation in
an application developed with Kerberos V5 Beta 4 API is different from the calculation in a Ker-
beros V5-1.0 application.
-K Authorization based on Kerberos V5 must succeed or access will be rejected (see sis(5) for details
on authorization).
-R Authentication based on privileged port numbers and authorization of the remote user through
equivalent accounts must succeed. For more information on equivalent accounts, see
hosts.equiv(4).
-r Either one of the following must succeed. The order in which the authorization checks are done
is as specified below.
1. Authentication based on privileged port numbers and authorization of the remote user
through equivalent accounts (see hosts.equiv(4)).
2. Authorization based on Kerberos V5.
-k Either one of the following must succeed. The order in which the authorization checks are done
is as specified below.
1. Authorization based on Kerberos V5.
2. Authentication based on privileged port numbers and authorization of the remote user
through equivalent accounts.
Note: The -k option is ignored when used with -K, and the -r option is ignored when used
with
-R. The default option is -K.
Operation
When remshd receives a service request, it responds with the following protocol:
1. The server checks the client’s source port. If the port is not a privileged port, that is, in the
range 512 through 1023, and remshd is operating in a non-secure environment, the connection
is terminated. In a secure environment, the action taken depends on the command line options:
-R The source port must be a privileged port otherwise the connection is terminated.
-r If the source port is not a privileged port then authorization based on Kerberos must
succeed or the connection is terminated.
-k The source port must be a privileged port if Kerberos authorization fails.
-K No action is taken.
2. The server reads characters from the connection up to a null (
\0) byte. It interprets the result-
ing string as an ASCII number, base 10.
3. If the number is non-zero, it is interpreted as the port number of a secondary stream to be used
for standard error. A second connection is then created to the specified port on the client’s host.
(The source port of this second connection will also be checked as specified in item 1.) If the first
character sent is a null (
\0), no secondary connection is made, and the standard error from the
command is sent to the primary stream. If the secondary connection has been made, remshd
interprets bytes it receives on that socket as signal numbers and passes them to the command as
signals. See signal(2).
4. The server checks the client’s source address and requests the corresponding host name (see
named(1M), gethostbyaddr(3N), and hosts(4)). If it cannot determine the hostname, it uses the
dot-notation representation of the host address.
5. In a secure environment remshd performs authentication based on Kerberos V5. See sis(5) for
details.
6. The server reads the client’s host account name from the first connection. This is a null-
terminated sequence not exceeding 256 characters.
HP-UX 11i Version 3: February 2007 − 2 − Hewlett-Packard Company 239