rshd(ADMN)


rshd -- remote shell server

Syntax

/etc/rshd [ -k ] [ -K ] [ -X ]

Description

rshd is the network server for programs such as rcmd(TC) and rcp(TC), which need to execute a noninteractive shell on remote machines. rshd is started by the inetd ``super server'', and therefore must have an entry in the configuration file, /etc/inetd.conf. (See inetd(ADMN) and inetd.conf(SFF).)

By default rshd enforces an authentication procedure based on equivalence of user names (see hosts.equiv(SFF)). This procedure assumes all nodes on the network are equally secure.

Authenticated rcp and rcmd using Kerberos

rshd listens for service requests at the kshell port (544/tcp) as indicated in the login services specification (see services(SFF)). The kshell port accepts a connection from a remote authenticated rcmd or rcp client and establishes authentication with the client.

Authentication takes place between the client program (rcmd or rcp) and the host principal where the rshd service daemon is running using the network credentials of the user that invoked the client program. The principal name for host machine.subdomain.domain is

   host/machine.subdomain.domain
The machine name must be fully qualified (for example, kvetch.your_company.com). The service key for this host principal is cached in the local Default Service Key Table (/krb5/v5srvtab), and must match the service key stored in the Security Registry.

The following authentication options are supported:


-k
Relaxed authentication mode; if authentication cannot be established, a traditional unauthenticated connection is established.

-K
Strict authentication mode; if authentication cannot be established, no service is provided.

-X
Refuse service and print the message:
   rshd: Authentication is required on host: hostname

To execute commands on behalf of remote clients, the user invoking the client must have network credentials, and the user's principal name must appear in the $HOME/.k5login file on the host where rshd is running (this file must be writable only by the user or by root, and it must be readable by root on the filesystem where it resides).

Limitations

Authentication is based on Version 5 of the Kerberos Network Authentication Service protocol. Only this version of the protocol is supported.

Data encryption is not supported.

Files


/etc/hosts.equiv
list of equivalent hosts

/etc/inetd.conf
configuration file for inetd

/etc/services
Internet services list

/krb5/v5srvtab
local default service key table

$HOME/.k5login
access control file for the SCO Secure TCP/IP Utilities

See also

auth.config(ADMN), hosts.equiv(SFF), inetd(ADMN), inetd.conf(SFF), k5login(SFF), rcmd(TC), rcp(TC), services(SFF)

Standards conformance

Authenticated rshd is not part of any currently supported standard. It is an extension of AT&T UNIX System V provided by The Santa Cruz Operation, Inc.
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 02 June 2005