z/OS® UNIX System Services RSHD command (orshd)

The following command is used in the /etc/inetd.conf file to define the arguments used to invoke orshd:

Read syntax diagramSkip visual syntax diagram
>>-orshd--+-----+--+-----+--+-----+--+-----+--+-----+----------->
          '- -a-'  '- -d-'  '- -l-'  '- -v-'  '- -c-'   

>--+-----+--+-----+--+---------------+--+-----+--+-----+-------->
   '- -r-'  '- -s-'  '- -k mechanism-'  '- -e-'  '- -m-'   

>--+-----+--+-----+--------------------------------------------><
   '- -i-'  '- -t-'   

The following options are supported:

-a
Look up host name and check that the address and host name correspond.
-d
Print debug information to syslogd.
-l
Write each successful login to syslogd with the remote user, remote system, local user, and the command executed.
-v
Write the title and ptf level to syslogd.
-c
Write all messages in uppercase.
-r
If a client passes a null password, invoke the /usr/sbin/ruserok user exit to authenticate the user ID.
-s
Invoke the remote shell as a login shell (that is, run /etc/profile and $HOME/.profile).
-k mechanism
Specifies the authentication mechanism to be used to authenticate the client. Valid values for mechanism are KRB5 and GSSAPI.
-e
Requires the client to encrypt the connection.
-m
Require Kerberos5 clients to present a cryptographic checksum of initial connection information, such as the name of the user that the client is trying to access in the initial authenticator. This checksum provides additional security by preventing an attacker from changing the initial connection information. If this option is specified, older Kerberos5 clients that do not send a checksum in the authenticator is not able to authenticate to this server. This option is mutually exclusive with the -i option and is only valid if -k KRB5 is specified.

If neither the -m or -i options are specified, checksums are validated if presented. Because it is difficult to remove a checksum from an authenticator without making the authenticator invalid, this default mode is almost as significant of a security improvement as -m if new clients are used. It has the additional advantage of backwards compatibility with some clients. Clients before Kerberos V5, Beta5, generate invalid checksums; if these clients are used, the -i option must be used.

-i
Ignore authenticator checksums if provided. This option ignores authenticator checksum presented by current Kerberos clients to protect initial connection information; it is the opposite of -m. This option is provided because some older clients (particularly clients predating the release of Kerberos V5 Beta5, May 1995) present invalid checksums that prevent Kerberos authentication from succeeding in the default mode. This option is mutually exclusive with the -m option and is only valid if -k KRB5 is specified.
-t
Use this option to set the KRB5_SERVER_KEYTAB environment variable. If this environment variable is set, the Security Runtime uses a local instance of the Kerberos security server to decrypt service tickets instead of obtaining the key from a key table.

Requirement: The orshd application must have at least read access to the IRR.RUSERMAP resource in the FACILITY class in order to use this capability. For more information, see z/OS Integrated Security Services Network Authentication Service Administration.

Parent topic: z/OS remote execution server