remshd(1M)

NAME

remshd — remote shell server

SYNOPSIS

/usr/lbin/remshd [-lmns]

In Kerberos V5 Network Authentication Environments

/usr/lbin/remshd [-clmnKkRr]

DESCRIPTION

The remshd command is the server for the rcp, rdist and remsh commands, rcmd() and the rcmd_af() function in case of IPv6 systems (see rcp(1), rdist(1), remsh(1), rcmd(3N), and rcmd_af(3N)).

remshd allows two kinds of authentication methods:

1.: Authentication based on privileged port numbers where the client's source port must be in the range 512 through 1023. In this case remshd assumes it is operating in normal or non-secure environment.
2.: Authentication based on Kerberos V5. In this case remshd assumes that it is operating in a Kerberos V5 Network Authentication, i.e., secure environment.

The inetd daemon invokes remshd if a service request is received at ports indicated by shell or kshell services specified in /etc/services (see inetd(1M) and services(4)). Service requests arriving at the kshell port assume a secure environment and expect Kerberos authentication to take place.

To start remshd from the inetd daemon in a non-secure environment, the configuration file /etc/inetd.conf must contain an entry as follows:

shell  stream  tcp  nowait  root  /usr/lbin/remshd  remshd 

In a secure environment, /etc/inetd.conf must contain an entry:

kshell  stream  tcp  nowait  root  /usr/lbin/remshd  remshd -K 

The configuration lines above will start remshd in IPv4 mode. To run remshd in IPv6 mode, the following line must be present in the /etc/inetd.conf file:

shell  stream  tcp6 nowait  root  /usr/lbin/remshd  remshd 

That is, for IPv6 applications, the protocol tcp has to be changed to tcp6. See inetd.conf(4) for more information.

To prevent non-secure access, the entry for shell should be commented out in /etc/inetd.conf. Any non-Kerberos access will be denied since the entry for the port indicated by shell has now been removed or commented out. In such a situation, a generic error message,

rcmd: connect hostname: Connection refused

is displayed. See DIAGNOSTICS for more details.

Note that by commenting out the entry for the port, access by other clients such as rdist will also be prevented.

Options

remshd recognizes the following options.

-l

Forbid authentication based on the user's .rhosts file unless the user is a superuser.

-n

Disable transport-level keep-alive messages. Otherwise, the messages are enabled. The keep-alive messages allow sessions to be timed out if the client crashes or becomes unreachable.

-m

With this option enabled, remshd returns immediately after its child process gets killed; it does not wait for all its sub child processes to die. This in turn makes remsh not wait even when the sub child processes are running remotely. As a result, remsh will not appear hung. It is recommended that users do not use the -m option if they want remshd to wait until the completion of all the sub child processes. Otherwise, the user may get an unexpected result.

This option is applicable only to remsh with a secondary socket connection.

Note that even with the -m option enabled, remshd will exit if command standard error is closed.

-s

This option is used in multi-homed NIS systems. It disables remshd from doing a reverse lookup of the client's IP address; see gethostbyname(3N). It can be used to circumvent an NIS limitation with multi-homed hosts.

In a secure environment, remshd will recognize the following additional options:

-c

Ignore checksum verification. This option is used to achieve interoperability between clients and servers using different checksum calculation methods. For example, the checksum calculation in an application developed with Kerberos V5 Beta 4 API is different from the calculation in a Kerberos V5-1.0 application.

-K

Authorization based on Kerberos V5 must succeed or access will be rejected (see sis(5) for details on authorization).

-R

Authentication based on privileged port numbers and authorization of the remote user through equivalent accounts must succeed. For more information on equivalent accounts, see hosts.equiv(4).

-r

Either one of the following must succeed. The order in which the authorization checks are done is as specified below.

1.: Authentication based on privileged port numbers and authorization of the remote user through equivalent accounts (see hosts.equiv(4)).
2.: Authorization based on Kerberos V5.

-k

Either one of the following must succeed. The order in which the authorization checks are done is as specified below.

1.: Authorization based on Kerberos V5.
2.: Authentication based on privileged port numbers and authorization of the remote user through equivalent accounts.

Note: The -k option is ignored when used with -K, and the -r option is ignored when used with -R. The default option is -K.

Operation

When remshd receives a service request, it responds with the following protocol:

1.

The server checks the client's source port. If the port is not a privileged port, that is, in the range 512 through 1023, and remshd is operating in a non-secure environment, the connection is terminated. In a secure environment, the action taken depends on the command line options:

-R: The source port must be a privileged port otherwise the connection is terminated.
-r: If the source port is not a privileged port then authorization based on Kerberos must succeed or the connection is terminated.
-k: The source port must be a privileged port if Kerberos authorization fails.
-K: No action is taken.

2.

The server reads characters from the connection up to a null (\0) byte. It interprets the resulting string as an ASCII number, base 10.

3.

If the number is non-zero, it is interpreted as the port number of a secondary stream to be used for standard error. A second connection is then created to the specified port on the client's host. (The source port of this second connection will also be checked as specified in item 1.) If the first character sent is a null (\0), no secondary connection is made, and the standard error from the command is sent to the primary stream. If the secondary connection has been made, remshd interprets bytes it receives on that socket as signal numbers and passes them to the command as signals. See signal(2).

4.

The server checks the client's source address and requests the corresponding host name (see named(1M), gethostbyaddr(3N), and hosts(4)). If it cannot determine the hostname, it uses the dot-notation representation of the host address.

5.

In a secure environment remshd performs authentication based on Kerberos V5. See sis(5) for details.

6.

The server reads the client's host account name from the first connection. This is a null-terminated sequence not exceeding 256 characters.

7.

The server reads the server's host account name from the first connection. This is a null-terminated sequence not exceeding 256 characters.

8.

The server reads a command to be passed to the shell from the first connection. The command length is limited by the maximum size of the system's argument list.

9.

remshd then validates the user as follows (all actions take place on the host remshd runs on):

a.

It looks up the user account name (retrieved in step 6) in the password file. If it finds it, it performs a chdir() to the user's home directory, if there is one, or to "/."

b.

If either the lookup or chdir() fails, the connection is terminated (see chdir(2)).

c.

The connection is also terminated if

the account accessed is administratively locked. The account can be locked by entering a character in the password field that is not part of the set of digits (such as *). The characters used to represent "digits" are `.' for 0, / for 1, 0 through 9 for 2 through 11, `A through Z' for 12 through 37, and `a through z' for 38 through 63. (See also passwd(4)).
in a non-secure environment, the account accessed is protected by a password and, either the password expired or the account on the client's host is not equivalent to the account accessed.
in a secure environment, the command line options decide whether connection is to be terminated.
-K
if Kerberos authorization does not succeed the connection is terminated (see sis(5) for details on authorization).
-R
if the client's host is not equivalent to the account accessed, the connection is terminated.
-r
if the account is not equivalent to the account accessed, then Kerberos authorization has to succeed or the connection is terminated.
-k
if Kerberos authorization fails, then the account has to be equivalent or the connection is terminated. For more information on equivalent accounts, see hosts.equiv(4).

10.

A null byte is returned on the primary connection and the command line is passed to the normal login shell of the user with that shell's -c option. The shell inherits the network connections established by remshd and assumes the normal user and group permissions of the user.

remshd uses the following path when executing the specified command:

/usr/bin:/usr/ccs/bin:/usr/bin/X11:/usr/contrib/bin:/usr/local/bin

11.

If a secondary socket has been set up, remshd normally exits when command standard error and secondary socket standard error have both been closed. If no secondary socket was set up, remshd has called an exec() function, launched the command process, and is no longer present.

SECURITY FEATURES

For detailed information on all the configuration parameters that affect remshd, see security(4). remshd supports the following configuration parameters in the /etc/default/security file:

NOLOGIN
UMASK

DIAGNOSTICS

All diagnostic messages are returned on the connection associated with standard error after which any network connections are closed. An error is indicated by a leading byte with a value of 1 (0 is returned in step 9 above upon successful completion of all the steps before the command execution).

Malformed from address

The first socket connection does not use a reserved port or the client's host address is not an Internet address.

Can't get stderr port

Unable to complete the connection of the secondary socket used for error communication.

Second port not reserved

The secondary socket connection does not use a reserved port.

Locuser too long

The name of the user account on the client's host is longer than 256 characters.

Remuser too long

The name of the user on the server's host is longer than 256 characters.

Command too long

The command line passed exceeds the size of the argument list (as configured into the system).

Login incorrect

No password file entry existed for the user name on the server's host, or the authentication procedure described above in step 8 failed.

No remote directory

The chdir command to the home directory or "/" on the server's host failed.

Can't make pipe

The pipe needed for the standard error output wasn't created.

No more processes

The server was unable to fork a process to handle the incoming connection.

Next step: Wait a period of time and try again. If this message persists, the server's host may have runaway processes that are using all the entries in the process table.

system call: message

Error in executing the named system call. The message specifies the cause of the failure.

shellname: ...

The user's login shell could not be started. This message is returned on the connection associated with the standard error and is not preceded by a leading byte with a value of 1. Other messages can be returned by the remote command when it executes.

rcmd: connect : <hostname>: Connection refused.

This generic message could be due to a number of reasons. One of the reasons could be because the entry for shell service is not present in /etc/inetd.conf. This entry may have been removed or commented out to prevent non-secure access.

Kerberos specific errors are listed in sis(5).

WARNINGS

The integrity of each host and the connecting medium is assumed if the "privileged port" authentication procedure is used in a non-secure environment or if the command line options -R or -r are used in a secure environment. Although both these methods provide insecure access, they are useful in an "open" environment.

Note that all the information, including any passwords, are passed unencrypted between the two hosts when remshd is invoked in a non-secure environment.

remshd ignores SIGHUP, SIGINT, SIGQUIT, and SIGTERM, so these signal numbers can safely be sent to remote commands via the secondary socket provided by remshd. Other signal numbers may cause remshd to kill itself.

AUTHOR

remshd was developed by the University of California, Berkeley.

FILES

$HOME/.rhosts: User's private equivalence list
/etc/hosts.equiv: List of equivalent hosts