1 .\" Copyright (c) 1983, 1989, 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. All advertising materials mentioning features or use of this software
13 .\" must display the following acknowledgement:
14 .\" This product includes software developed by the University of
15 .\" California, Berkeley and its contributors.
16 .\" 4. Neither the name of the University nor the names of its contributors
17 .\" may be used to endorse or promote products derived from this software
18 .\" without specific prior written permission.
20 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .\" @(#)rshd.8 8.1 (Berkeley) 6/4/93
39 .Nd remote shell server
43 .Op Fl p Ar portnumber
50 routine and, consequently, for the
52 program. The server provides remote execution facilities with
53 kerberos-based authentication or traditional pseudo-authentication
54 with privileged port numbers from trusted hosts.
59 listens for service requests at the port indicated in
60 the ``cmd'' service specification; see
62 When a service request is received
64 verifies the kerberos ticket supplied by the user.
66 For non-kerberised connections, the following protocol is initiated:
69 The server checks the client's source port.
70 If the port is not in the range 512-1023, the server
71 aborts the connection.
73 The server reads characters from the socket up
74 to a null (`\e0') byte. The resultant string is
79 If the number received in step 2 is non-zero,
80 it is interpreted as the port number of a secondary
81 stream to be used for the
83 A second connection is then created to the specified
84 port on the client's machine. The source port of this
85 second connection is also in the range 512-1023.
87 The server checks the client's source address
88 and requests the corresponding host name (see
93 If the hostname cannot be determined,
94 the dot-notation representation of the host address is used.
95 The addresses for the hostname are requested,
96 verifying that the name and address correspond.
97 If address verification fails, the connection is aborted
98 with the message, ``Host address mismatch.''
100 A null terminated user name of at most 16 characters
101 is retrieved on the initial socket. This user name
102 is interpreted as the user identity on the
106 A null terminated user name of at most 16 characters
107 is retrieved on the initial socket. This user name
108 is interpreted as a user identity to use on the
112 A null terminated command to be passed to a
113 shell is retrieved on the initial socket. The length of
114 the command is limited by the upper bound on the size of
115 the system's argument list.
118 then validates the user using
124 file found in the user's home directory. The
128 from doing any validation based on the user's ``.rhosts'' file,
129 unless the user is the superuser.
133 exists and the user is not the superuser,
134 the connection is closed.
136 A null byte is returned on the initial socket
137 and the command line is passed to the normal login
138 shell of the user. The
139 shell inherits the network connections established
144 Transport-level keepalive messages are enabled unless the
147 The use of keepalive messages allows sessions to be timed out
148 if the client crashes or becomes unreachable.
152 option causes all successful accesses to be logged to
159 Enable kerberos authentication.
161 Do not expect to be spawned by inetd and create a socket and listen on
164 Specifies the port number it should listen on in case the
168 Vacuous, echo "Remote host requires Kerberos authentication" and exit.
170 Provides an encrypted communications channel. This option requires the
174 AFS only! Doesn't put the remote proccess in a new PAG.
177 Except for the last one listed below,
178 all diagnostic messages
179 are returned on the initial socket,
180 after which any network connections are closed.
181 An error is indicated by a leading byte with a value of
182 1 (0 is returned in step 10 above upon successful completion
183 of all the steps prior to the execution of the login shell).
184 .Bl -tag -width indent
185 .It Sy Locuser too long.
186 The name of the user on the client's machine is
187 longer than 16 characters.
188 .It Sy Ruser too long.
189 The name of the user on the remote machine is
190 longer than 16 characters.
191 .It Sy Command too long .
192 The command line passed exceeds the size of the argument
193 list (as configured into the system).
194 .It Sy Login incorrect.
195 No password file entry for the user name existed.
196 .It Sy Remote directory.
199 command to the home directory failed.
200 .It Sy Permission denied.
201 The authentication procedure described above failed.
202 .It Sy Can't make pipe.
203 The pipe needed for the
206 .It Sy Can't fork; try again.
209 by the server failed.
210 .It Sy <shellname>: ...
211 The user's login shell could not be started. This message is returned
212 on the connection associated with the
214 and is not preceded by a flag byte.
221 A more extensible protocol (such as Telnet) should be used.