153 lines
4.5 KiB
Groff
153 lines
4.5 KiB
Groff
|
.\" from: kshd.8,v 4.1 89/01/23 11:39:41 jtkohl Exp $
|
||
|
|
.\" $Id: kshd.8,v 1.2 1994/07/19 19:27:50 g89r4222 Exp $
|
||
|
|
.\"
|
||
|
|
.\" Copyright (c) 1983 The Regents of the University of California.
|
||
|
|
.\" All rights reserved.
|
||
|
|
.\"
|
||
|
|
.\" Redistribution and use in source and binary forms are permitted
|
||
|
|
.\" provided that the above copyright notice and this paragraph are
|
||
|
|
.\" duplicated in all such forms and that any documentation,
|
||
|
|
.\" advertising materials, and other materials related to such
|
||
|
|
.\" distribution and use acknowledge that the software was developed
|
||
|
|
.\" by the University of California, Berkeley. The name of the
|
||
|
|
.\" University may not be used to endorse or promote products derived
|
||
|
|
.\" from this software without specific prior written permission.
|
||
|
|
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
|
||
|
|
.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
||
|
|
.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
|
.\"
|
||
|
|
.\" @(#)rshd.8 6.5 (Berkeley) 9/19/88
|
||
|
|
.\"
|
||
|
|
.TH KSHD 8 "Kerberos Version 4.0" "MIT Project Athena"
|
||
|
|
.UC 5
|
||
|
|
.SH NAME
|
||
|
|
kshd \- remote shell server
|
||
|
|
.SH SYNOPSIS
|
||
|
|
.B /usr/etc/kshd
|
||
|
|
.SH DESCRIPTION
|
||
|
|
.I Kshd
|
||
|
|
is the server for the
|
||
|
|
.IR kcmd (3)
|
||
|
|
routine and, consequently, for the
|
||
|
|
.IR rsh (1)
|
||
|
|
program. The server provides remote execution facilities
|
||
|
|
with authentication based on Kerberos.
|
||
|
|
.PP
|
||
|
|
.I Kshd
|
||
|
|
listens for service requests at the port indicated in
|
||
|
|
the ``kshell'' service specification; see
|
||
|
|
.IR services (5).
|
||
|
|
When a service request is received the following protocol
|
||
|
|
is initiated:
|
||
|
|
.IP 1)
|
||
|
|
The server reads characters from the socket up
|
||
|
|
to a null (`\e0') byte. The resultant string is
|
||
|
|
interpreted as an ASCII number, base 10.
|
||
|
|
.IP 2)
|
||
|
|
If the number received in step 1 is non-zero,
|
||
|
|
it is interpreted as the port number of a secondary
|
||
|
|
stream to be used for the
|
||
|
|
.BR stderr .
|
||
|
|
A second connection is then created to the specified
|
||
|
|
port on the client's machine.
|
||
|
|
.IP 3)
|
||
|
|
The server checks the client's source address
|
||
|
|
and requests the corresponding host name (see
|
||
|
|
.IR gethostbyaddr (3N),
|
||
|
|
.IR hosts (5)
|
||
|
|
and
|
||
|
|
.IR named (8)).
|
||
|
|
If the hostname cannot be determined,
|
||
|
|
the dot-notation representation of the host address is used.
|
||
|
|
.IP 4)
|
||
|
|
A Kerberos ticket/authenticator pair are retrieved on the initial socket.
|
||
|
|
.IP 5)
|
||
|
|
A null terminated user name of at most 16 characters
|
||
|
|
is retrieved on the initial socket. This user name
|
||
|
|
is interpreted as a user identity to use on the
|
||
|
|
.BR server 's
|
||
|
|
machine.
|
||
|
|
.IP 6)
|
||
|
|
A null terminated command to be passed to a
|
||
|
|
shell is retrieved on the initial socket. The length of
|
||
|
|
the command is limited by the upper bound on the size of
|
||
|
|
the system's argument list.
|
||
|
|
.IP 7)
|
||
|
|
.I Kshd
|
||
|
|
then validates the user according to the following steps.
|
||
|
|
The local (server-end) user name is looked up in the password file
|
||
|
|
and a
|
||
|
|
.I chdir
|
||
|
|
is performed to the user's home directory. If either
|
||
|
|
the lookup or
|
||
|
|
.I chdir
|
||
|
|
fail, the connection is terminated. The \&.klogin file in the home
|
||
|
|
directory is used to mediate access to the account (via \fIkuserok\fP(3))
|
||
|
|
by the Kerberos principal named in the ticket/authenticator. If this
|
||
|
|
authorization check fails, the connection is terminated.
|
||
|
|
.IP 8)
|
||
|
|
A null byte is returned on the initial socket
|
||
|
|
and the command line is passed to the normal login
|
||
|
|
shell of the user. The
|
||
|
|
shell inherits the network connections established
|
||
|
|
by
|
||
|
|
.IR kshd .
|
||
|
|
.SH DIAGNOSTICS
|
||
|
|
Except for the last one listed below,
|
||
|
|
all diagnostic messages
|
||
|
|
are returned on the initial socket,
|
||
|
|
after which any network connections are closed.
|
||
|
|
An error is indicated by a leading byte with a value of
|
||
|
|
1 (0 is returned in step 8 above upon successful completion
|
||
|
|
of all the steps prior to the execution of the login shell).
|
||
|
|
.PP
|
||
|
|
.B ``remuser too long''
|
||
|
|
.br
|
||
|
|
The name of the user on the remote machine is
|
||
|
|
longer than 16 characters.
|
||
|
|
.PP
|
||
|
|
.B ``command too long ''
|
||
|
|
.br
|
||
|
|
The command line passed exceeds the size of the argument
|
||
|
|
list (as configured into the system).
|
||
|
|
.PP
|
||
|
|
.B ``Login incorrect.''
|
||
|
|
.br
|
||
|
|
No password file entry for the user name existed.
|
||
|
|
.PP
|
||
|
|
.B ``No remote directory.''
|
||
|
|
.br
|
||
|
|
The
|
||
|
|
.I chdir
|
||
|
|
command to the home directory failed.
|
||
|
|
.PP
|
||
|
|
.B ``Permission denied.''
|
||
|
|
.br
|
||
|
|
The authorization procedure described above failed.
|
||
|
|
.PP
|
||
|
|
.B ``Can't make pipe.''
|
||
|
|
.br
|
||
|
|
The pipe needed for the
|
||
|
|
.BR stderr ,
|
||
|
|
wasn't created.
|
||
|
|
.PP
|
||
|
|
.B ``Try again.''
|
||
|
|
.br
|
||
|
|
A
|
||
|
|
.I fork
|
||
|
|
by the server failed.
|
||
|
|
.PP
|
||
|
|
.B ``<shellname>: ...''
|
||
|
|
.br
|
||
|
|
The user's login shell could not be started. This message is returned
|
||
|
|
on the connection associated with the
|
||
|
|
.BR stderr ,
|
||
|
|
and is not preceded by a flag byte.
|
||
|
|
.SH SEE ALSO
|
||
|
|
rsh(1), kerberos(3), kuserok(3)
|
||
|
|
.SH BUGS
|
||
|
|
A facility to allow all data exchanges to be encrypted should be
|
||
|
|
present.
|
||
|
|
.PP
|
||
|
|
A more extensible protocol should be used.
|