The following command is used in the /etc/inetd.conf file
to define the arguments used to invoke orshd:
>>-orshd--+-----+--+-----+--+-----+--+-----+--+-----+----------->
'- -a-' '- -d-' '- -l-' '- -v-' '- -c-'
>--+-----+--+-----+--+---------------+--+-----+--+-----+-------->
'- -r-' '- -s-' '- -k mechanism-' '- -e-' '- -m-'
>--+-----+--+-----+--------------------------------------------><
'- -i-' '- -t-'
The following options are supported:
- -a
- Look up host name and check that the address and host name correspond.
- -d
- Print debug information to syslogd.
- -l
- Write each successful login to syslogd with the remote user, remote
system, local user, and the command executed.
- -v
- Write the title and ptf level to syslogd.
- -c
- Write all messages in uppercase.
- -r
- If a client passes a null password, invoke the /usr/sbin/ruserok
user exit to authenticate the user ID.
- -s
- Invoke the remote shell as a login shell (that is, run /etc/profile
and $HOME/.profile).
- -k mechanism
- Specifies the authentication mechanism to be used to authenticate
the client. Valid values for mechanism are KRB5 and GSSAPI.
- -e
- Requires the client to encrypt the connection.
- -m
- Require Kerberos5 clients to present a cryptographic checksum
of initial connection information, such as the name of the user that
the client is trying to access in the initial authenticator. This
checksum provides additional security by preventing an attacker from
changing the initial connection information. If this option is specified,
older Kerberos5 clients that do not send a checksum in the authenticator
is not able to authenticate to this server. This option is mutually
exclusive with the -i option and is only valid if -k KRB5 is
specified.
If neither the -m or -i options are specified,
checksums are validated if presented. Because it is difficult to remove
a checksum from an authenticator without making the authenticator
invalid, this default mode is almost as significant of a security
improvement as -m if new clients are used. It has the additional
advantage of backwards compatibility with some clients. Clients before
Kerberos V5, Beta5, generate invalid checksums; if these clients are
used, the -i option must be used.
- -i
- Ignore authenticator checksums if provided. This option ignores
authenticator checksum presented by current Kerberos clients to protect
initial connection information; it is the opposite of -m. This
option is provided because some older clients (particularly clients
predating the release of Kerberos V5 Beta5, May 1995) present invalid
checksums that prevent Kerberos authentication from succeeding in
the default mode. This option is mutually exclusive with the -m option
and is only valid if -k KRB5 is specified.
- -t
- Use this option to set the KRB5_SERVER_KEYTAB environment variable.
If this environment variable is set, the Security Runtime uses a local
instance of the Kerberos security server to decrypt service tickets
instead of obtaining the key from a key table.
Requirement: The
orshd application must have at least read access to the IRR.RUSERMAP
resource in the FACILITY class in order to use this capability. For
more information, see z/OS Integrated Security Services Network Authentication
Service Administration.