[ Previous | Next | Table of Contents | Index | Library Home |
Legal |
Search ]
Commands Reference, Volume 3
Provides the server function for remote command execution.
/usr/sbin/krshd
Note: The rshd daemon is normally started by the
inetd daemon. It can also be controlled from the command
line, using SRC commands.
The /usr/sbin/krshd daemon is the server for the rcp
and rsh commands using Kerberos authentication. The
krshd daemon provides remote execution of shell commands.
These commands are based on requests from privileged sockets on trusted
hosts. The shell commands must have user authentication. The
krshd daemon listens at the kshell socket defined in the
/etc/services file.
Changes to the krshd daemon can be made using the System
Management Interface Tool (SMIT) or System Resource Controller (SRC), by
editing the /etc/inetd.conf or /etc/services
file. Entering krshd at the command line is not
recommended. The krshd daemon is started by default when it
is uncommented in the /etc/inetd.conf file.
The inetd daemon gets its information from the
/etc/inetd.conf file and the /etc/services
file.
After changing the /etc/inetd.conf or
/etc/services file, run the refresh -s inetd or
kill 1 InetdPID command to inform the inetd daemon of
the changes to its configuration file.
When the krshd daemon receives a service request, it initiates
the following protocol:
- The krshd daemon checks the source port number for the
request. If the port number is not in the range 0 through 1023, the
krshd daemon terminates the connection.
- The krshd daemon reads characters from the socket up to a null
byte. The string read is interpreted as an ASCII number (base
10). If this number is nonzero, the krshd daemon interprets
it as the port number of a secondary stream to be used as standard
error. A second connection is created to the specified port on the
client host. The source port on the local host is also in the range 0
through 1023.
- The krshd daemon uses the source address of the initial
connection request to determine the name of the client host. If the
name cannot be determined, the krshd daemon uses the dotted decimal
representation of the client host's address.
- The krshd daemon retrieves the following information from the
initial socket:
- A Kerberos service ticket.
- A null-terminated string of at most 16 bytes interpreted as the user name
of the user on the client host.
- Another null-terminated string interpreted as a command line to be passed
to a shell on the local server host.
- A null-terminated string of at most 16 bytes interpreted as the user name
to be used on the local server host.
- If the service ticket was a Kerberos 5 ticket, the daemon will expect
either a Kerberos 5 TGT or a null string.
- The krshd daemon attempts to validate the user using the following
steps:
- makes sure that Kerberos 5 is a valid authentication method if the
incoming ticket is a Kerberos 5 ticket. Likewise, if the incoming
ticket is a Kerberos 4 ticket, the Kerberos 4 authentication method must be
configured.
- calls kvalid_user with the local account name as well as the
DCE Principal.
- Once krshd validates the user, the krshd daemon
returns a null byte on the initial connection. If the connection is a
Kerberos 5 ticket and the TGT is sent, the command line passes to the
k5dcelogin command, (which upgrades it to full DCE
credentials). If the TGT is not sent or if the connection is a Kerberos
4 ticket, the command line passes to the user's local login shell.
The shell then inherits the network connections established by the
krshd daemon.
The krshd daemon is controlled by using the System Management
Interface Tool (SMIT) or by changing the /etc/inetd.conf
file. Entering krshd at the command line is not
recommended.
The krshd daemon is a subserver of the inetd daemon,
which is a subsystem of the System Resource Controller (SRC). The
krshd daemon is a member of the tcpip SRC subsystem group.
Using the chauthent command will comment/uncomment the kshell line
in the /etc/inetd.conf file and restart the inetd
daemon depending on whether Kerberos 5 or Kerberos 4 is
configured/unconfigured. This daemon should be manipulated using the
chauthent/lsauthent commands. Direct modification
of the inetd.conf file's kshell entry in not
recommended.
The rsh command.
The inetd daemon.
The kvalid_user function.
The /etc/hosts.equiv file format, /etc/inetd.conf file format, and /etc/services file format.
Network Overview in AIX 5L Version 5.1
System Management Guide: Communications and Networks.
Secure Rcmds in AIX 5L Version 5.1 System
User's Guide: Communications and Networks.
[ Previous | Next | Table of Contents | Index |
Library Home |
Legal |
Search ]