The Rshd service has been available in all UNIX systems for a long time. The same service, called Rshsvc.exe, provided by Microsoft only shipped with the Windows NT/2000 Server Resource Kit and it was not included in any Windows XP versions. Several years ago, I wrote the Rshd Windows application for sending commands on remote computers on the same LAN. It is a Winsock multithreaded console application and not a true service. The Rshd Windows application, with full source code provided for Windows 95/98/ME/NT/2000/XP, was designed and implemented to be convenient with some security included. I expect that my work will not be harmful to Windows security.
The Rshd executes all commands for the Rsh program available in both UNIX systems and Windows NT/2000/XP. There is no Rsh on Windows 95/98/ME, but I have provided the Rsh application with full source code running on all 32 bit Windows operating systems.
The Rshd and Rsh were designed by using the object-oriented methodology and implemented by using C++. Figure 1 shows the hierarchy of the
CWinSocket encapsulates part of the Windows Socket Functions API and is similar to the MFC
CAsyncSocket class. The
CWinSocket class can handle both TCP and UDP. Both Rshd and Rsh are WIN32 applications and they are independent of MFC.
The above Rshd is slightly different from the Rshd service shipped with UNIX and Windows NT/2000 server, but their functions are similar. It also provides remote execution facilities with authentication based on privileged port numbers from trusted hosts based on the .rhosts file. The Rshd listens and accepts the Rsh client for service requests at the BSD reserved port (normally 513-1023, however the range 0-512 should be fine if the Rsh was designed and implemented by yourself. I have added comments in source code. Therefore, please read the source code if you want to understand how it works). When a service request is received, the Rshd does the following:
- Retrieves the name of the client to which a socket is connected and checks its port. If the port is not in the range 513-1023, the Rshd aborts the connection.
- The server reads characters from the socket up to a null byte. The resultant string is interpreted as a 10 based ASCII number.
- If the number received is non-zero, it is interpreted as the port number for a second connection to be used for the error feedback. The second connection is then created as a client to the specified port on the client's machine. The source port of this second connection is also in the range 513-1023.
- Checks the client's source address and requests the corresponding host name. If the hostname cannot be determined (under Windows 95/98/ME), the dot-notation representation of the host address is used. If address verification fails, the connection is aborted.
- A user name is retrieved on the initial socket. It is interpreted as the user identity on the client's machine (the Rsh sender).
- Validates the host and the user retrieved on the initial socket, based on the record listed in the user's .rhosts file located in the directory specified in the file Rshd.ini, which is located in the same directory as the Rshd (Rshd.exe).
- A command to be passed to a shell is retrieved on the initial socket. The length of the command is limited to less than 8192 bytes.
- The command line is passed to the system call, which invokes cmd.exe command to interpret the command line.
Source code and projects
Source code consists of four projects: Rsh, Rshd, Stdn, and Utility. Rsh and Rshd are Win32 console applications, Stdn (Shutdown) is a MFC dialog based application, and Utility is a Win32 static library. If compiled successfully, they should be located in the Bin directory.
There are only two files Rsh.cpp/Rsh.h and Rshd.cpp/Rshd.h in the Rsh and Rshd projects, respectively. They contain many comments which can aid your understanding on how they work.
The Stdn project includes an important class
CShutdown which contains two methods
ShutdownNow is used to shutdown local computers and
ShutdownAll to shutdown remote computers. However,
ShutdownAll only works on Windows NT/2000/XP with administrator privileges.
The Utility project contains several useful classes:
CConfigFile: message logging and INI file reading class.
CLock: critical section wrapper class used by Rshd application.
CStr: string class. More details here.
CWinSocketEx: Win32 socket wrapper classes used by Rsh and Rshd applications.
List: adopted from MFC
List template. However, it is independent of MFC.
Case study: shutdown all computers on the LAN automatically
The Rshd and Rsh have successfully been applied to several power stations. The following step describes how to use Rshd and Rsh to access all computers by commands to each other on the LAN and shutdown them automatically. Assume that there are 6 computers running on different operating systems on the LAN: two UNIX, two Windows NT workstations, and two Windows 95. In this example, assume two UNIX host names are
UHost2, and their user names are
UUser2; two Windows NT workstations host names are
WNT2, and their user names are
WNTUser2; two Windows 95 host names are
W952, and their user names are
W95User2. An emergency shutdown device (button) is attached on
- Create a directory on Windows computers, say C:\RS\Bin. The RS directory should contain .rhosts, Rsh.exe, Rshd.exe, Rshd.ini, and Shutdown.exe. Rsh.exe does not conflict with the Rsh program provided by Windows NT/2000/XP.
- Edit the .rhosts text file. The format of this file is host name followed by user name with tab or space delimited. It is loaded by Rshd.exe. The .rhosts should look like as follows (assume the following users login as the current user on each computer. However, many users may appear on the same host):
- Edit the Rshd.ini file. It is a standard Windows INI file and should look like follows:
HostFile = C:\RS\Bin\.rhosts ; host file location
LogFile = C:\RS\Bin\rshd.log ; log file location
Debug = 1 ; 1 (or non zero): Log file records
Rsh sender information; 0: not
- Create the Rshd.exe shortcut and put it into the Windows startup menu. When Windows starts up, Rshd.exe should be found in the Task Manager. If not, manually run it.
- Add the four Windows computers information into the .rhosts file on each UNIX computer. Please read UNIX manual on how to modify the .rhosts file. We assume that
UUser2 have a Shutdown script file under their home directory, respectively. They have same privileges as root to run it. The Shutdown script does actual shutting down task.
- Create a batch file in C:\RS\Bin on
WNT1. The batch file (invoked by pressing the emergency shutdown button) should look like the following:
Rsh UHost1 Shutdown
Rsh UHost2 Shutdown
Rsh WNT2 C:\RS\Bin\Shutdown -d
Rsh W951 C:\RS\Bin\Shutdown -d
Rsh W952 C:\RS\Bin\Shutdown -d
That is all for setting how to shutdown all computers on the LAN automatically. When the emergency shutdown button is pressed, all 6 computers should be shut down.
Security free consideration
The .rhosts and Rshd.ini files are not necessary if you consider writing your security free Rshd service. To do so, simply modify the Rshd.cpp and remove
CheckHostAndUserName function calls. However, security free Rshd service is dangerous and any computer on the same LAN can easily destroy the Rshd service computer system. It is a good practice setting .rhosts to only let the trusted computers to access.
Running Rshd on Windows operating systems may cause some security issues. I am not responsible for any damage in your computer system caused by using it.