1 .\" Copyright (c) 1983, 1989, 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. All advertising materials mentioning features or use of this software
13 .\" must display the following acknowledgement:
14 .\" This product includes software developed by the University of
15 .\" California, Berkeley and its contributors.
16 .\" 4. Neither the name of the University nor the names of its contributors
17 .\" may be used to endorse or promote products derived from this software
18 .\" without specific prior written permission.
20 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .\" @(#)rshd.8 8.1 (Berkeley) 6/4/93
40 .Nd remote shell server
50 routine and, consequently, for the
53 The server provides remote execution facilities
54 with authentication based on privileged port numbers from trusted hosts.
58 utility listens for service requests at the port indicated in
61 service specification; see
63 When a service request is received the following protocol
67 The server checks the client's source port.
68 If the port is not in the range 512-1023, the server
69 aborts the connection.
71 The server reads characters from the socket up
75 The resultant string is
80 If the number received in step 2 is non-zero,
81 it is interpreted as the port number of a secondary
82 stream to be used for the
84 A second connection is then created to the specified
85 port on the client's machine.
86 The source port of this
87 second connection is also in the range 512-1023.
89 The server checks the client's source address
90 and requests the corresponding host name (see
95 If the hostname cannot be determined or the hostname and address do
96 not match after verification,
97 the dot-notation representation of the host address is used.
99 A null terminated user name of at most 16 characters
100 is retrieved on the initial socket.
102 is interpreted as the user identity on the
106 A null terminated user name of at most 16 characters
107 is retrieved on the initial socket.
109 is interpreted as a user identity to use on the
113 A null terminated command to be passed to a
114 shell is retrieved on the initial socket.
116 the command is limited by the upper bound on the size of
117 the system's argument list.
121 utility then validates the user using
127 file found in the user's home directory.
132 from doing any validation based on the user's
135 unless the user is the superuser.
139 byte is returned on the initial socket
140 and the command line is passed to the normal login
143 shell inherits the network connections established
148 The options are as follows:
149 .Bl -tag -width indent
151 This flag is ignored, and is present for compatability purposes.
153 Sets the TCP_NODELAY socket option, which improves the performance
154 of small back-to-back writes at the expense of additional network
157 Causes all successful accesses to be logged to
163 Do not use the user's
165 file for authentication, unless the user is the superuser.
167 Turn off transport level keepalive messages.
168 This will prevent sessions
169 from timing out if the client crashes or becomes unreachable.
172 .Bl -tag -width /var/run/nologin -compact
174 .It Pa /etc/hosts.equiv
175 .It Pa /etc/login.conf
176 .It Ev $HOME Ns Pa /.rhosts
182 entries with service name
184 Authentication modules requiring passwords (such as
189 Except for the last one listed below,
190 all diagnostic messages
191 are returned on the initial socket,
192 after which any network connections are closed.
193 An error is indicated by a leading byte with a value of
194 1 (0 is returned in step 10 above upon successful completion
195 of all the steps prior to the execution of the login shell).
196 .Bl -tag -width indent
197 .It Sy Locuser too long.
198 The name of the user on the client's machine is
199 longer than 16 characters.
200 .It Sy Ruser too long.
201 The name of the user on the remote machine is
202 longer than 16 characters.
203 .It Sy Command too long.
204 The command line passed exceeds the size of the argument
205 list (as configured into the system).
206 .It Sy Login incorrect.
207 No password file entry for the user name existed
208 or the authentication procedure described above failed.
209 .It Sy Remote directory.
212 function to the home directory failed.
213 .It Sy Logins not available right now.
216 utility was attempted outside the allowed hours defined in
218 for the local user's login class.
219 .It Sy Can't make pipe.
220 The pipe needed for the
223 .It Sy Can't fork; try again.
226 by the server failed.
227 .It Sy <shellname>: ...
228 The user's login shell could not be started.
229 This message is returned
230 on the connection associated with the
232 and is not preceded by a flag byte.
237 .Xr gethostbyaddr 3 ,
249 IPv6 support was added by WIDE/KAME project.
251 The authentication procedure used here assumes the integrity
252 of each client machine and the connecting medium.
254 insecure, but is useful in an
258 A facility to allow all data exchanges to be encrypted should be
263 also needs the following patch applied besides properly configuring
265 .Bd -literal -offset indent
266 --- etc/pam.d/rsh.orig Wed Dec 17 14:36:20 2003
267 +++ etc/pam.d/rsh Wed Dec 17 14:30:43 2003
269 -auth required pam_rhosts.so no_warn
270 +auth required pam_rhosts.so no_warn allow_root
273 A more extensible protocol (such as Telnet) should be used.