1 .\" $NetBSD: rshd.8,v 1.17 2005/03/09 07:49:08 hubertf Exp $
3 .\" Copyright (c) 1983, 1989, 1991, 1993
4 .\" The Regents of the University of California. All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
14 .\" 3. Neither the name of the University nor the names of its contributors
15 .\" may be used to endorse or promote products derived from this software
16 .\" without specific prior written permission.
18 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 .\" from: @(#)rshd.8 8.1 (Berkeley) 6/4/93
37 .Nd remote shell server
44 server is the server for the
46 routine and, consequently, for the
49 The server provides remote execution facilities
50 with authentication based on privileged port numbers from trusted hosts.
54 server listens for service requests at the port indicated in
57 service specification; see
59 When a service request is received the following protocol
63 The server checks the client's source port.
64 If the port is not in the range 512-1023, the server
65 aborts the connection.
67 The server reads characters from the socket up
71 The resultant string is interpreted as an
75 If the number received in step 2 is non-zero,
76 it is interpreted as the port number of a secondary
77 stream to be used for the
79 A second connection is then created to the specified
80 port on the client's machine.
81 The source port of this
82 second connection is also in the range 512-1023.
84 The server checks the client's source address
85 and requests the corresponding host name (see
90 If the hostname cannot be determined,
91 the dot-notation representation of the host address is used.
92 If the hostname is in the same domain as the server (according to
93 the last two components of the domain name), or if the
96 the addresses for the hostname are requested,
97 verifying that the name and address correspond.
98 If address verification fails, the connection is aborted
100 .Dq Host address mismatch.
102 A null terminated user name of at most 16 characters
103 is retrieved on the initial socket.
104 This user name is interpreted as the user identity on the
108 A null terminated user name of at most 16 characters
109 is retrieved on the initial socket.
110 This user name is interpreted as a user identity to use on the
114 A null terminated command to be passed to a
115 shell is retrieved on the initial socket.
116 The length of the command is limited by the upper
117 bound on the size of the system's argument list.
120 then validates the user using
126 file found in the user's home directory.
131 from doing any validation based on the user's
133 file, unless the user is the superuser.
137 exists and the user is not the superuser,
138 the connection is closed.
140 A null byte is returned on the initial socket
141 and the command line is passed to the normal login
143 The shell inherits the network connections established by
147 Transport-level keepalive messages are enabled unless the
150 The use of keepalive messages allows sessions to be timed out
151 if the client crashes or becomes unreachable.
155 option causes all successful accesses to be logged to
161 Except for the last one listed below,
162 all diagnostic messages
163 are returned on the initial socket,
164 after which any network connections are closed.
165 An error is indicated by a leading byte with a value of
166 1 (0 is returned in step 10 above upon successful completion
167 of all the steps prior to the execution of the login shell).
168 .Bl -tag -width indent
169 .It Sy Locuser too long.
170 The name of the user on the client's machine is
171 longer than 16 characters.
172 .It Sy Ruser too long.
173 The name of the user on the remote machine is
174 longer than 16 characters.
175 .It Sy Command too long .
176 The command line passed exceeds the size of the argument
177 list (as configured into the system).
178 .It Sy Login incorrect.
179 No password file entry for the user name existed.
180 .It Sy Remote directory.
183 to the home directory failed.
184 .It Sy Permission denied.
185 The authentication procedure described above failed.
186 .It Sy Can't make pipe.
187 The pipe needed for the
190 .It Sy Can't fork; try again.
193 by the server failed.
194 .It Sy \*[Lt]shellname\*[Gt]: ...
195 The user's login shell could not be started.
196 This message is returned on the connection associated with the
198 and is not preceded by a flag byte.
209 The authentication procedure used here assumes the integrity
210 of every machine and every network that can reach the rshd/rlogind
212 This is insecure, but is useful in an
216 or a Kerberized version of this server are much more secure.
218 A facility to allow all data exchanges to be encrypted should be
221 A more extensible protocol (such as Telnet) should be used.
224 intentionally rejects accesses from IPv4 mapped address on top of
226 socket, since IPv4 mapped address complicates
227 host-address based authentication.
228 If you would like to accept connections from IPv4 peers, you will