krshd Daemon

Purpose

Provides the server function for remote command execution.

Syntax

/usr/sbin/krshd

Note: The rshd daemon is normally started by the inetd daemon. It can also be controlled from the command line, using SRC commands.

Description

The /usr/sbin/krshd daemon is the server for the rcp and rsh commands using Kerberos authentication. The krshd daemon provides remote execution of shell commands. These commands are based on requests from privileged sockets on trusted hosts. The shell commands must have user authentication. The krshd daemon listens at the kshell socket defined in the /etc/services file.

Changes to the krshd daemon can be made using the System Management Interface Tool (SMIT) or System Resource Controller (SRC), by editing the /etc/inetd.conf or /etc/services file. Entering krshd at the command line is not recommended. The krshd daemon is started by default when it is uncommented in the /etc/inetd.conf file.

The inetd daemon gets its information from the /etc/inetd.conf file and the /etc/services file.

After changing the /etc/inetd.conf or /etc/services file, run the refresh -s inetd or kill 1 InetdPID command to inform the inetd daemon of the changes to its configuration file.

Service Request Protocol

When the krshd daemon receives a service request, it initiates the following protocol:

  1. The krshd daemon checks the source port number for the request. If the port number is not in the range 0 through 1023, the krshd daemon terminates the connection.
  2. The krshd daemon reads characters from the socket up to a null byte. The string read is interpreted as an ASCII number (base 10). If this number is nonzero, the krshd daemon interprets it as the port number of a secondary stream to be used as standard error. A second connection is created to the specified port on the client host. The source port on the local host is also in the range 0 through 1023.
  3. The krshd daemon uses the source address of the initial connection request to determine the name of the client host. If the name cannot be determined, the krshd daemon uses the dotted decimal representation of the client host's address.
  4. The krshd daemon retrieves the following information from the initial socket:
    • A Kerberos service ticket.
    • A null-terminated string of at most 16 bytes interpreted as the user name of the user on the client host.
    • Another null-terminated string interpreted as a command line to be passed to a shell on the local server host.
    • A null-terminated string of at most 16 bytes interpreted as the user name to be used on the local server host.
    • If the service ticket was a Kerberos 5 ticket, the daemon will expect either a Kerberos 5 TGT or a null string.
  5. The krshd daemon attempts to validate the user using the following steps:
    • makes sure that Kerberos 5 is a valid authentication method if the incoming ticket is a Kerberos 5 ticket. Likewise, if the incoming ticket is a Kerberos 4 ticket, the Kerberos 4 authentication method must be configured.
    • calls kvalid_user with the local account name as well as the DCE Principal.
  6. Once krshd validates the user, the krshd daemon returns a null byte on the initial connection. If the connection is a Kerberos 5 ticket and the TGT is sent, the command line passes to the k5dcelogin command, (which upgrades it to full DCE credentials). If the TGT is not sent or if the connection is a Kerberos 4 ticket, the command line passes to the user's local login shell. The shell then inherits the network connections established by the krshd daemon.

    The krshd daemon is controlled by using the System Management Interface Tool (SMIT) or by changing the /etc/inetd.conf file. Entering krshd at the command line is not recommended.

Manipulating the krshd Daemon

The krshd daemon is a subserver of the inetd daemon, which is a subsystem of the System Resource Controller (SRC). The krshd daemon is a member of the tcpip SRC subsystem group. Using the chauthent command will comment/uncomment the kshell line in the /etc/inetd.conf file and restart the inetd daemon depending on whether Kerberos 5 or Kerberos 4 is configured/unconfigured. This daemon should be manipulated using the chauthent/lsauthent commands. Direct modification of the inetd.conf file's kshell entry in not recommended.