1 .\" Copyright (c) 1983, 1989, 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 4. Neither the name of the University nor the names of its contributors
13 .\" may be used to endorse or promote products derived from this software
14 .\" without specific prior written permission.
16 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" @(#)rshd.8 8.1 (Berkeley) 6/4/93
29 .\" $FreeBSD: src/libexec/rshd/rshd.8,v 1.18.2.5 2001/08/16 10:44:18 ru Exp $
30 .\" $DragonFly: src/libexec/rshd/rshd.8,v 1.4 2006/02/17 19:33:31 swildner Exp $
37 .Nd remote shell server
47 routine and, consequently, for the
49 program. The server provides remote execution facilities
50 with authentication based on privileged port numbers from trusted hosts.
55 listens for service requests at the port indicated in
58 service specification; see
60 When a service request is received the following protocol
64 The server checks the client's source port.
65 If the port is not in the range 512-1023, the server
66 aborts the connection.
68 The server reads characters from the socket up
71 (`\e0') byte. The resultant string is
76 If the number received in step 2 is non-zero,
77 it is interpreted as the port number of a secondary
78 stream to be used for the
80 A second connection is then created to the specified
81 port on the client's machine. The source port of this
82 second connection is also in the range 512-1023.
84 The server checks the client's source address
85 and requests the corresponding host name (see
90 If the hostname cannot be determined or the hostname and address do
91 not match after verification,
92 the dot-notation representation of the host address is used.
94 A null terminated user name of at most 16 characters
95 is retrieved on the initial socket. This user name
96 is interpreted as the user identity on the
100 A null terminated user name of at most 16 characters
101 is retrieved on the initial socket. This user name
102 is interpreted as a user identity to use on the
106 A null terminated command to be passed to a
107 shell is retrieved on the initial socket. The length of
108 the command is limited by the upper bound on the size of
109 the system's argument list.
112 then validates the user using
118 file found in the user's home directory. The
122 from doing any validation based on the user's
125 unless the user is the superuser.
129 exists and the user is not the superuser,
130 the connection is closed.
131 The name of the nologin file may be overridden
132 using the nologin capability in
134 according to the local user's login class,
135 which may also be used to restrict
138 login time (times.allow and times.deny capabilities)
139 and remote host (hosts.allow and hosts.deny capabilities).
143 byte is returned on the initial socket
144 and the command line is passed to the normal login
145 shell of the user. The
146 shell inherits the network connections established
151 The options are as follows:
152 .Bl -tag -width indent
154 Display the usage message, and exit.
156 Sets the TCP_NODELAY socket option, which improves the performance
157 of small back-to-back writes at the expense of additional network
160 Causes all successful accesses to be logged to
166 This flag is ignored, and is present for compatibility purposes.
168 Do not use the user's
170 file for authentication, unless the user is the superuser.
172 Turn off transport level keepalive messages. This will prevent sessions
173 from timing out if the client crashes or becomes unreachable.
176 .Bl -tag -width /var/run/nologin -compact
178 .It Pa /etc/hosts.equiv
179 .It Pa /etc/login.conf
180 .It Ev $HOME Ns Pa /.rhosts
181 .It Pa /var/run/nologin
184 Except for the last one listed below,
185 all diagnostic messages
186 are returned on the initial socket,
187 after which any network connections are closed.
188 An error is indicated by a leading byte with a value of
189 1 (0 is returned in step 10 above upon successful completion
190 of all the steps prior to the execution of the login shell).
191 .Bl -tag -width indent
192 .It Sy Locuser too long.
193 The name of the user on the client's machine is
194 longer than 16 characters.
195 .It Sy Ruser too long.
196 The name of the user on the remote machine is
197 longer than 16 characters.
198 .It Sy Command too long.
199 The command line passed exceeds the size of the argument
200 list (as configured into the system).
201 .It Sy Login incorrect.
202 No password file entry for the user name existed
203 or the authentication procedure described above failed.
204 .It Sy Remote directory.
207 function to the home directory failed.
208 .It Sy Logins not available right now.
210 was attempted outside the allowed hours defined in
212 for the local user's login class.
213 .It Sy Can't make pipe.
214 The pipe needed for the
217 .It Sy Can't fork; try again.
220 by the server failed.
221 .It Sy <shellname>: ...
222 The user's login shell could not be started. This message is returned
223 on the connection associated with the
225 and is not preceded by a flag byte.
230 .Xr gethostbyaddr 3 ,
243 IPv6 support was added by WIDE/KAME project.
245 The authentication procedure used here assumes the integrity
246 of each client machine and the connecting medium. This is
247 insecure, but is useful in an
251 A facility to allow all data exchanges to be encrypted should be
254 A more extensible protocol (such as Telnet) should be used.