[ Next Article |
Previous Article |
Book Contents |
Library Home |
Legal |
Search ]
Commands Reference, Volume 3
krshd Daemon
Purpose
Provides the server function for remote command execution.
/usr/sbin/krshd
Note: The rshd daemon is normally started by the inetd daemon. It
can also be controlled from the command line, using SRC commands.
Description
The /usr/sbin/krshd daemon is the server for the rcp and rsh commands
using Kerberos authentication. The krshd daemon provides remote execution of shell
commands. These commands are based on requests from privileged sockets on trusted hosts. The shell
commands must have user authentication. The krshd daemon listens at the kshell socket
defined in the /etc/services file.
Changes to the krshd daemon can be made using the System Management Interface Tool
(SMIT) or System Resource Controller (SRC), by editing the /etc/inetd.conf or
/etc/services file. Entering krshd at the command line is not recommended. The
krshd daemon is started by default when it is uncommented in the /etc/inetd.conf
file.
The inetd daemon gets its information from the /etc/inetd.conf file and the
/etc/services file.
After changing the /etc/inetd.conf or /etc/services file, run the refresh -s
inetd or kill 1 InetdPID command to inform the inetd daemon of the changes to
its configuration file.
Service Request Protocol
When the krshd daemon receives a service request, it initiates the following protocol:
- The krshd daemon checks the source port number for the request. If the port number is
not in the range 0 through 1023, the krshd daemon terminates the connection.
- The krshd daemon reads characters from the socket up to a null byte. The string read is
interpreted as an ASCII number (base 10). If this number is nonzero, the krshd daemon
interprets it as the port number of a secondary stream to be used as standard error. A second
connection is created to the specified port on the client host. The source port on the local host
is also in the range 0 through 1023.
- The krshd daemon uses the source address of the initial connection request to determine
the name of the client host. If the name cannot be determined, the krshd daemon uses the
dotted decimal representation of the client host's address.
- The krshd daemon retrieves the following information from the initial socket:
- A Kerberos service ticket.
- A null-terminated string of at most 16 bytes interpreted as the user name of the user on the
client host.
- Another null-terminated string interpreted as a command line to be passed to a shell on the
local server host.
- A null-terminated string of at most 16 bytes interpreted as the user name to be used on the
local server host.
- If the service ticket was a Kerberos 5 ticket, the daemon will expect either a Kerberos 5 TGT
or a null string.
- The krshd daemon attempts to validate the user using the following steps:
- makes sure that Kerberos 5 is a valid authentication method if the incoming
ticket is a Kerberos 5 ticket. Likewise, if the incoming ticket is a Kerberos 4 ticket, the
Kerberos 4 authentication method must be configured.
- calls kvalid_user with the local account name as well as the DCE Principal.
- Once krshd validates the user, the krshd daemon returns a null byte on the
initial connection. If the connection is a Kerberos 5 ticket and the TGT is sent, the command
line passes to the k5dcelogin command, (which upgrades it to full DCE credentials). If the
TGT is not sent or if the connection is a Kerberos 4 ticket, the command line passes to the user's
local login shell. The shell then inherits the network connections established by the krshd
daemon.
The krshd daemon is controlled by using the System Management Interface
Tool (SMIT) or by changing the /etc/inetd.conf file. Entering krshd at the
command line is not recommended.
Manipulating the krshd Daemon
The krshd daemon is a subserver of the inetd daemon, which is a subsystem of the
System Resource Controller (SRC). The krshd daemon is a member of the tcpip SRC subsystem
group. Using the chauthent command will comment/uncomment the kshell line in the /etc/inetd.conf file and restart the inetd daemon depending on whether Kerberos 5 or Kerberos 4 is configured/unconfigured. This daemon should be manipulated using the chauthent/lsauthent commands. Direct modification of the inetd.conf file's kshell entry in not recommended.
Related Information
The rsh command.
The inetd daemon.
The kvalid_user function.
The
/etc/hosts.equiv file format, /etc/inetd.conf file format, and /etc/services file format.
Network Overview in AIX Version 4.3 System Management Guide: Communications and Networks.
Secure Rcmds in AIX Version 4.3 System User's Guide: Communications and Networks.
[ Next Article |
Previous Article |
Book Contents |
Library Home |
Legal |
Search ]