1 .\" Copyright (c) 1983, 1989, 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. Neither the name of the University nor the names of its contributors
13 .\" may be used to endorse or promote products derived from this software
14 .\" without specific prior written permission.
16 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" @(#)rshd.8 8.1 (Berkeley) 6/4/93
36 .Nd remote shell server
46 routine and, consequently, for the
49 The server provides remote execution facilities
50 with authentication based on privileged port numbers from trusted hosts.
54 utility listens for service requests at the port indicated in
57 service specification; see
59 When a service request is received the following protocol
63 The server checks the client's source port.
64 If the port is not in the range 512-1023, the server
65 aborts the connection.
67 The server reads characters from the socket up
71 The resultant string is
76 If the number received in step 2 is non-zero,
77 it is interpreted as the port number of a secondary
78 stream to be used for the
80 A second connection is then created to the specified
81 port on the client's machine.
82 The source port of this
83 second connection is also in the range 512-1023.
85 The server checks the client's source address
86 and requests the corresponding host name (see
91 If the hostname cannot be determined or the hostname and address do
92 not match after verification,
93 the dot-notation representation of the host address is used.
95 A null terminated user name of at most 16 characters
96 is retrieved on the initial socket.
98 is interpreted as the user identity on the
102 A null terminated user name of at most 16 characters
103 is retrieved on the initial socket.
105 is interpreted as a user identity to use on the
109 A null terminated command to be passed to a
110 shell is retrieved on the initial socket.
112 the command is limited by the upper bound on the size of
113 the system's argument list.
117 utility then validates the user using
123 file found in the user's home directory.
128 from doing any validation based on the user's
131 unless the user is the superuser.
135 byte is returned on the initial socket
136 and the command line is passed to the normal login
139 shell inherits the network connections established
144 The options are as follows:
145 .Bl -tag -width indent
147 This flag is ignored, and is present for compatibility purposes.
149 Sets the TCP_NODELAY socket option, which improves the performance
150 of small back-to-back writes at the expense of additional network
153 Causes all successful accesses to be logged to
159 Do not use the user's
161 file for authentication, unless the user is the superuser.
163 Turn off transport level keepalive messages.
164 This will prevent sessions
165 from timing out if the client crashes or becomes unreachable.
168 .Bl -tag -width /var/run/nologin -compact
170 .It Pa /etc/hosts.equiv
171 .It Pa /etc/login.conf
172 .It Ev $HOME Ns Pa /.rhosts
178 entries with service name
180 Authentication modules requiring passwords (such as
185 Except for the last one listed below,
186 all diagnostic messages
187 are returned on the initial socket,
188 after which any network connections are closed.
189 An error is indicated by a leading byte with a value of
190 1 (0 is returned in step 10 above upon successful completion
191 of all the steps prior to the execution of the login shell).
192 .Bl -tag -width indent
193 .It Sy Locuser too long.
194 The name of the user on the client's machine is
195 longer than 16 characters.
196 .It Sy Ruser too long.
197 The name of the user on the remote machine is
198 longer than 16 characters.
199 .It Sy Command too long.
200 The command line passed exceeds the size of the argument
201 list (as configured into the system).
202 .It Sy Login incorrect.
203 No password file entry for the user name existed
204 or the authentication procedure described above failed.
205 .It Sy Remote directory.
208 function to the home directory failed.
209 .It Sy Logins not available right now.
212 utility was attempted outside the allowed hours defined in
214 for the local user's login class.
215 .It Sy Can't make pipe.
216 The pipe needed for the
219 .It Sy Can't fork; try again.
222 by the server failed.
223 .It Sy <shellname>: ...
224 The user's login shell could not be started.
225 This message is returned
226 on the connection associated with the
228 and is not preceded by a flag byte.
233 .Xr gethostbyaddr 3 ,
244 IPv6 support was added by WIDE/KAME project.
246 The authentication procedure used here assumes the integrity
247 of each client machine and the connecting medium.
249 insecure, but is useful in an
253 A facility to allow all data exchanges to be encrypted should be
258 also needs the following patch applied besides properly configuring
260 .Bd -literal -offset indent
261 --- etc/pam.d/rsh.orig Wed Dec 17 14:36:20 2003
262 +++ etc/pam.d/rsh Wed Dec 17 14:30:43 2003
264 -auth required pam_rhosts.so no_warn
265 +auth required pam_rhosts.so no_warn allow_root
268 A more extensible protocol (such as Telnet) should be used.