rexecd - remote execution server
/usr/lbin/rexecd [-n] [-s]
rexecd is the server for the rexec(3N) routine; it expects to be
started by the internet daemon (see inetd(1M)). rexecd provides
remote execution facilities with authentication based on user account
names and unencrypted passwords.
inetd(1M) calls rexecd when a service request is received at the port
indicated for the ``exec'' service specification in /etc/services; see
services(4). To run rexecd, the following line should be present in
exec stream tcp nowait root /usr/lbin/rexecd rexecd
See inetd.conf(4) for more information.
rexecd recognizes the following options.
-n Disable transport-level keep-alive messages. By default, the
messages are enabled. The keep-alive messages allow
sessions to time out if the client crashes or becomes
-s This option is used in multi-homed NIS systems. It disables
remshd from doing a reverse lookup of the client's IP
address; see gethostbyname(3N) for more information. It can
be used to circumvent an NIS limitation with multi-homed
When a service request is received, the following protocol is
1. The server reads characters from the socket up to a null (\0)
byte. The resultant string is interpreted as an ASCII
number, base 10.
2. If the number received in step 1 is non-zero, it is
interpreted as the port number of a secondary stream to be
used for the stderr. A second connection is then created to
the specified port on the client's host. If the first
character sent is a null (\0), no secondary connection is
made and the stderr of the command is sent to the primary
stream. If the secondary connection has been made, rexecd
interprets bytes it receives on that socket as signal numbers
and passes them to the command as signals (see signal(2)).
Hewlett-Packard Company - 1 - HP-UX Release 11i: November 2000
3. A null-terminated user name of not more than 16 characters is
retrieved on the initial socket.
4. A null-terminated, unencrypted, password of not more than 16
characters is retrieved on the initial socket.
5. A null-terminated command to be passed to a shell is
retrieved on the initial socket. The length of the command
is limited by the upper bound on the size of the system's
6. rexecd then validates the user as is done by login (see
login(1)). But it does not use any PAM modules of login for
authentication. If the authentication succeeds, rexecd
changes to the user's home directory and establishes the user
and group protections of the user. If any of these steps
fail, rexecd returns a diagnostic message through the
connection, then closes the connection.
7. A null byte is returned on the connection associated with
stderr and the command line is passed to the normal login
shell of the user with that shell's -c option. The shell
inherits the network connections established by rexecd.
rexecd uses the following path when executing the specified command:
Transport-level keepalive messages are enabled unless the -n option is
present. The use of keepalive messages allows sessions to be timed
out if the client crashes or becomes unreachable.
All diagnostic messages are returned on the connection associated with
the stderr, after which any network connections are closed. An error
is indicated by a leading byte with a value of 1 (0 is returned in
step 7 above upon successful completion of all the steps prior to the
Username too long
The user name is longer than 16 characters.
Password too long
The password is longer than 16 characters.
Command too long
The command line passed exceeds the size of the argument
list (as configured into the system).
No password file entry for the user name existed or the
Hewlett-Packard Company - 2 - HP-UX Release 11i: November 2000
wrong password was supplied.
No remote directory
The chdir command to the home directory failed.
No more processes
The server was unable to fork a process to handle the
Next step: Wait a period of time and try again. If the
message persists, then the server's host may have a runaway
process that is using all the entries in the process table.
The user's login shell could not be started via exec(2) for
the given reason.
The password is sent unencrypted through the socket connection.
rexecd was developed by the University of California, Berkeley.
remsh(1), inetd(1M), rexec(3N), inetd.conf(4), inetd.sec(4),
Hewlett-Packard Company - 3 - HP-UX Release 11i: November 2000