xref: /csrg-svn/libexec/rshd/rshd.8 (revision 61447) 
1*61447Sbostic.\" Copyright (c) 1983, 1989, 1991, 1993
2*61447Sbostic.\"	The Regents of the University of California.  All rights reserved.
319010Smckusick.\"
443770Strent.\" %sccs.include.redist.man%
519010Smckusick.\"
6*61447Sbostic.\"     @(#)rshd.8	8.1 (Berkeley) 06/04/93
735575Sbostic.\"
848388Scael.Dd
948388Scael.Dt RSHD 8
1048388Scael.Os BSD 4.2
1148388Scael.Sh NAME
1248388Scael.Nm rshd
1348388Scael.Nd remote shell server
1448388Scael.Sh SYNOPSIS
1548388Scael.Nm rshd
1655259Sandrew.Op Fl alnL
1748388Scael.Sh DESCRIPTION
1848388ScaelThe
1948388Scael.Nm rshd
2048388Scaelserver
2119010Smckusickis the server for the
2248388Scael.Xr rcmd 3
2319010Smckusickroutine and, consequently, for the
2448388Scael.Xr rsh 1
2519010Smckusickprogram.  The server provides remote execution facilities
2628715Skarelswith authentication based on privileged port numbers from trusted hosts.
2748388Scael.Pp
2848388ScaelThe
2948388Scael.Nm rshd
3048388Scaelserver
3119010Smckusicklistens for service requests at the port indicated in
3219010Smckusickthe ``cmd'' service specification; see
3348388Scael.Xr services 5 .
3419010SmckusickWhen a service request is received the following protocol
3519010Smckusickis initiated:
3648388Scael.Bl -enum
3748388Scael.It
3819010SmckusickThe server checks the client's source port.
3939121SkarelsIf the port is not in the range 512-1023, the server
4019010Smckusickaborts the connection.
4148388Scael.It
4219010SmckusickThe server reads characters from the socket up
4319010Smckusickto a null (`\e0') byte.  The resultant string is
4448388Scaelinterpreted as an
4548388Scael.Tn ASCII
4648388Scaelnumber, base 10.
4748388Scael.It
4832534SbosticIf the number received in step 2 is non-zero,
4919010Smckusickit is interpreted as the port number of a secondary
5019010Smckusickstream to be used for the
5148388Scael.Em stderr .
5219010SmckusickA second connection is then created to the specified
5319010Smckusickport on the client's machine.  The source port of this
5439121Skarelssecond connection is also in the range 512-1023.
5548388Scael.It
5628715SkarelsThe server checks the client's source address
5728715Skarelsand requests the corresponding host name (see
5848388Scael.Xr gethostbyaddr 3 ,
5948388Scael.Xr hosts 5
6028715Skarelsand
6148388Scael.Xr named 8 ) .
6228715SkarelsIf the hostname cannot be determined,
6328715Skarelsthe dot-notation representation of the host address is used.
6439121SkarelsIf the hostname is in the same domain as the server (according to
6539121Skarelsthe last two components of the domain name),
6639121Skarelsor if the
6748388Scael.Fl a
6839121Skarelsoption is given,
6939121Skarelsthe addresses for the hostname are requested,
7039121Skarelsverifying that the name and address correspond.
7139121SkarelsIf address verification fails, the connection is aborted
7239121Skarelswith the message, ``Host address mismatch.''
7348388Scael.It
7419010SmckusickA null terminated user name of at most 16 characters
7519010Smckusickis retrieved on the initial socket.  This user name
7621909Slepreauis interpreted as the user identity on the
7748388Scael.Em client Ns 's
7819010Smckusickmachine.
7948388Scael.It
8019010SmckusickA null terminated user name of at most 16 characters
8119010Smckusickis retrieved on the initial socket.  This user name
8221909Slepreauis interpreted as a user identity to use on the
8348388Scael.Sy server Ns 's
8419010Smckusickmachine.
8548388Scael.It
8619010SmckusickA null terminated command to be passed to a
8719010Smckusickshell is retrieved on the initial socket.  The length of
8819010Smckusickthe command is limited by the upper bound on the size of
8919010Smckusickthe system's argument list.
9048388Scael.It
9148388Scael.Nm Rshd
9236314Sbosticthen validates the user using
9348388Scael.Xr ruserok 3 ,
9448388Scaelwhich uses the file
9548388Scael.Pa /etc/hosts.equiv
9648388Scaeland the
9748388Scael.Pa .rhosts
9836314Sbosticfile found in the user's home directory.  The
9948388Scael.Fl l
10036314Sbosticoption prevents
10148388Scael.Xr ruserok 3
10236320Sbosticfrom doing any validation based on the user's ``.rhosts'' file,
10336320Sbosticunless the user is the superuser.
10448388Scael.It
10555259SandrewIf the file
10655259Sandrew.Pa /etc/nologin
10755259Sandrewexists and the user is not the superuser,
10855259Sandrewthe connection is closed.
10955259Sandrew.It
11021909SlepreauA null byte is returned on the initial socket
11119010Smckusickand the command line is passed to the normal login
11219010Smckusickshell of the user.  The
11319010Smckusickshell inherits the network connections established
11419010Smckusickby
11548388Scael.Nm rshd .
11655259Sandrew.El
11748388Scael.Pp
11836602SbosticTransport-level keepalive messages are enabled unless the
11948388Scael.Fl n
12036602Sbosticoption is present.
12136602SbosticThe use of keepalive messages allows sessions to be timed out
12236602Sbosticif the client crashes or becomes unreachable.
12355259Sandrew.Pp
12455259SandrewThe
12555259Sandrew.Fl L
12655259Sandrewoption causes all successful accesses to be logged to
12755259Sandrew.Xr syslogd 8
12855259Sandrewas
12955259Sandrew.Li auth.info
13055259Sandrewmessages.
13148388Scael.Sh DIAGNOSTICS
13221909SlepreauExcept for the last one listed below,
13321909Slepreauall diagnostic messages
13421909Slepreauare returned on the initial socket,
13519010Smckusickafter which any network connections are closed.
13619010SmckusickAn error is indicated by a leading byte with a value of
13755259Sandrew1 (0 is returned in step 10 above upon successful completion
13821909Slepreauof all the steps prior to the execution of the login shell).
13948388Scael.Bl -tag -width indent
14048388Scael.It Sy Locuser too long.
14119010SmckusickThe name of the user on the client's machine is
14219010Smckusicklonger than 16 characters.
14348388Scael.It Sy Ruser too long.
14419010SmckusickThe name of the user on the remote machine is
14519010Smckusicklonger than 16 characters.
14648388Scael.It Sy Command too long  .
14719010SmckusickThe command line passed exceeds the size of the argument
14819010Smckusicklist (as configured into the system).
14948388Scael.It Sy Login incorrect.
15019010SmckusickNo password file entry for the user name existed.
15148388Scael.It Sy Remote directory.
15219010SmckusickThe
15348388Scael.Xr chdir
15419010Smckusickcommand to the home directory failed.
15548388Scael.It Sy Permission denied.
15619010SmckusickThe authentication procedure described above failed.
15748388Scael.It Sy Can't make pipe.
15819010SmckusickThe pipe needed for the
15948388Scael.Em stderr ,
16019010Smckusickwasn't created.
16148388Scael.It Sy Can't fork; try again.
16219010SmckusickA
16348388Scael.Xr fork
16419010Smckusickby the server failed.
16548388Scael.It Sy <shellname>: ...
16621909SlepreauThe user's login shell could not be started.  This message is returned
16721909Slepreauon the connection associated with the
16848388Scael.Em stderr ,
16921909Slepreauand is not preceded by a flag byte.
17048388Scael.El
17148388Scael.Sh SEE ALSO
17248388Scael.Xr rsh 1 ,
17348388Scael.Xr rcmd 3 ,
17448388Scael.Xr ruserok 3
17548388Scael.Sh BUGS
17619010SmckusickThe authentication procedure used here assumes the integrity
17719010Smckusickof each client machine and the connecting medium.  This is
17819010Smckusickinsecure, but is useful in an ``open'' environment.
17948388Scael.Pp
18019010SmckusickA facility to allow all data exchanges to be encrypted should be
18119010Smckusickpresent.
18248388Scael.Pp
18339121SkarelsA more extensible protocol (such as Telnet) should be used.
184