[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
Commands Reference, Volume 3
krshd Daemon
Purpose
Provides the server function for remote command execution.
Syntax
/usr/sbin/krshd
Note: The rshd daemon is
normally started by the inetd daemon. It can also be
controlled from the command line, using SRC commands.
Description
The /usr/sbin/krshd daemon is the server for the rcp and rsh commands using Kerberos
authentication. The krshd daemon provides remote execution
of shell commands. These commands are based on requests from privileged sockets
on trusted hosts. The shell commands must have user authentication. The krshd daemon listens at the kshell socket defined in the /etc/services file.
Changes to the krshd daemon can be made using the
System Management Interface Tool (SMIT) or System Resource Controller (SRC),
by editing the /etc/inetd.conf or /etc/services file. Entering krshd at the command
line is not recommended. The krshd daemon is started
by default when it is uncommented in the /etc/inetd.conf file.
The inetd daemon gets its information from the /etc/inetd.conf file and the /etc/services file.
After changing the /etc/inetd.conf or /etc/services file, run the refresh -s inetd or kill 1 InetdPID command to inform the inetd daemon of the changes to its configuration file.
Service Request Protocol
When the krshd daemon receives a service request,
it initiates the following protocol:
- The krshd daemon checks the source port number for
the request. If the port number is not in the range 0 through 1023, the krshd daemon terminates the connection.
- The krshd daemon reads characters from the socket
up to a null byte. The string read is interpreted as an ASCII number (base
10). If this number is nonzero, the krshd daemon interprets
it as the port number of a secondary stream to be used as standard error.
A second connection is created to the specified port on the client host.
The source port on the local host is also in the range 0 through 1023.
- The krshd daemon uses the source address of the
initial connection request to determine the name of the client host. If the
name cannot be determined, the krshd daemon uses the
dotted decimal representation of the client host's address.
- The krshd daemon retrieves the following information
from the initial socket:
- A Kerberos service ticket.
- A null-terminated string of at most 16 bytes interpreted as the user name
of the user on the client host.
- Another null-terminated string interpreted as a command line to be passed
to a shell on the local server host.
- A null-terminated string of at most 16 bytes interpreted as the user name
to be used on the local server host.
- If the service ticket was a Kerberos 5 ticket, the daemon will expect
either a Kerberos 5 TGT or a null string.
- The krshd daemon attempts to validate the user using the following steps:
- makes sure that Kerberos 5 is a valid authentication method if the incoming
ticket is a Kerberos 5 ticket. Likewise, if the incoming ticket is a Kerberos
4 ticket, the Kerberos 4 authentication method must be configured.
- calls kvalid_user with the local account name as
well as the DCE Principal.
- Once krshd validates the user, the krshd daemon returns a null byte on the initial connection. If the
connection is a Kerberos 5 ticket and the TGT is sent, the command line passes
to the k5dcelogin command, (which upgrades it to full
DCE credentials). If the TGT is not sent or if the connection is a Kerberos
4 ticket, the command line passes to the user's local login shell. The shell
then inherits the network connections established by the krshd daemon.
The krshd daemon is controlled
by using the System Management Interface Tool (SMIT) or by changing the /etc/inetd.conf file. Entering krshd
at the command line is not recommended.
Manipulating the krshd Daemon
The krshd daemon is a subserver of the inetd daemon, which is a subsystem of the System Resource Controller
(SRC). The krshd daemon is a member of the tcpip SRC
subsystem group. Using the chauthent command will comment/uncomment
the kshell line in the /etc/inetd.conf file and restart
the inetd daemon depending on whether Kerberos 5 or
Kerberos 4 is configured/unconfigured. This daemon should be manipulated using
the chauthent/lsauthent commands.
Direct modification of the inetd.conf file's kshell
entry in not recommended.
Related Information
The rsh command.
The inetd daemon.
The kvalid_user function.
The /etc/hosts.equiv
file format, /etc/inetd.conf
file format, and /etc/services
file format.
Network Overview in AIX 5L Version 5.2 System Management Guide: Communications and Networks.
Secure Rcmds in AIX 5L Version 5.2 System User's Guide: Communications and Networks.
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]