diff options
Diffstat (limited to 'usr/src/man/man1m/tcpd.1m')
| -rw-r--r-- | usr/src/man/man1m/tcpd.1m | 115 |
1 files changed, 0 insertions, 115 deletions
diff --git a/usr/src/man/man1m/tcpd.1m b/usr/src/man/man1m/tcpd.1m deleted file mode 100644 index 7ebd63d845..0000000000 --- a/usr/src/man/man1m/tcpd.1m +++ /dev/null @@ -1,115 +0,0 @@ -'\" t -.\" -.\" Modified for Solaris to to add the Solaris stability classification, -.\" and to add a note about source availability. -.\" -.TH TCPD 1M "Sep 15, 2011" -.SH NAME -tcpd \- access control facility for internet services -.SH DESCRIPTION -.PP -The \fItcpd\fR program can be set up to monitor incoming requests for -\fItelnet\fR, \fIfinger\fR, \fIftp\fR, \fIexec\fR, \fIrsh\fR, -\fIrlogin\fR, \fItftp\fR, \fItalk\fR, \fIcomsat\fR and other services -that have a one-to-one mapping onto executable files. -.PP -The program supports both 4.3BSD-style sockets and System V.4-style -TLI. Functionality may be limited when the protocol underneath TLI is -not an internet protocol. -.PP -Operation is as follows: whenever a request for service arrives, the -\fIinetd\fP daemon is tricked into running the \fItcpd\fP program -instead of the desired server. \fItcpd\fP logs the request and does -some additional checks. When all is well, \fItcpd\fP runs the -appropriate server program and goes away. -.PP -Optional features are: pattern-based access control, client username -lookups with the RFC 931 etc. protocol, protection against hosts that -pretend to have someone elses host name, and protection against hosts -that pretend to have someone elses network address. -.SH LIBWRAP INTERFACE -The same monitoring and access control functionality provided by the -tcpd standalone program is also available through the libwrap shared -library interface. Some programs, including the Solaris inetd daemon, -have been modified to use the libwrap interface and thus do not -require replacing the real server programs with tcpd. The libwrap -interface is also more efficient and can be used for inetd internal -services. See -.BR inetd (1M) -for more information. -.SH LOGGING -Connections that are monitored by -.I tcpd -are reported through the \fIsyslog\fR(3) facility. Each record contains -a time stamp, the client host name and the name of the requested -service. The information can be useful to detect unwanted activities, -especially when logfile information from several hosts is merged. -.PP -In order to find out where your logs are going, examine the syslog -configuration file, usually /etc/syslog.conf. -.SH ACCESS CONTROL -Optionally, -.I tcpd -supports a simple form of access control that is based on pattern -matching. The access-control software provides hooks for the execution -of shell commands when a pattern fires. For details, see the -\fIhosts_access\fR(4) manual page. -.SH HOST NAME VERIFICATION -The authentication scheme of some protocols (\fIrlogin, rsh\fR) relies -on host names. Some implementations believe the host name that they get -from any random name server; other implementations are more careful but -use a flawed algorithm. -.PP -.I tcpd -verifies the client host name that is returned by the address->name DNS -server by looking at the host name and address that are returned by the -name->address DNS server. If any discrepancy is detected, -.I tcpd -concludes that it is dealing with a host that pretends to have someone -elses host name. -.PP -If the sources are compiled with -DPARANOID, -.I tcpd -will drop the connection in case of a host name/address mismatch. -Otherwise, the hostname can be matched with the \fIPARANOID\fR wildcard, -after which suitable action can be taken. -.SH HOST ADDRESS SPOOFING -Optionally, -.I tcpd -disables source-routing socket options on every connection that it -deals with. This will take care of most attacks from hosts that pretend -to have an address that belongs to someone elses network. UDP services -do not benefit from this protection. This feature must be turned on -at compile time. -.SH RFC 931 -When RFC 931 etc. lookups are enabled (compile-time option) \fItcpd\fR -will attempt to establish the name of the client user. This will -succeed only if the client host runs an RFC 931-compliant daemon. -Client user name lookups will not work for datagram-oriented -connections, and may cause noticeable delays in the case of connections -from PCs. -.PP -Warning: If the local system runs an RFC 931 server it is important -that it be configured NOT to use TCP Wrappers, or that TCP Wrappers -be configured to avoid RFC 931-based access control for this service. -If you use usernames in the access control files, make sure that you -have a hosts.allow entry that allows the RFC 931 service (often called -"identd" or "auth") without any username restrictions. Failure to heed -this warning can result in two hosts getting in an endless loop of -consulting each other's identd services. -.SH EXAMPLES -.\" Begin Sun update -.SH ATTRIBUTES -See -.BR attributes (5) -for descriptions of the following attributes: -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -= -Interface Stability Committed -.TE -.\" End Sun update |