fingerd
[-wul] [-pL path]
Returns a human-readable status report on either the system or a particular person. Options to this command should be specified in /etc/inetd.conf.
Example: This daemon is usually invoked by inetd (which uses tcpd to provide access control and logging services). To start fingerd, add the following line to your inetd.conf file:
finger stream tcp nowait root /usr/sbin/tcpd in.fingerd
-w | Tell fingerd to include a welcome banner, which contains some system information (uptime, OS nae, release) with output. |
-u | Reject all requests of the form "finger @host". |
-l | Log information about requests. |
-p | Specify an alternate location for fingerd to find the finger program. |
ftpd
[ -d ] [ -v ] [ -l ] [ -ttimeout ] [ -Tmaxtimeout ] [ -a ] [ -A ] [ -L ] [ -i ] [ -o ] -uumask ]
ftpd is the File Transfer Protocol server.
Example: This daemon is usually invoked by inetd via the tcpd daemon (which provides logging and access control). To start ftpd with logging (-l) and access control (-a), add the following line to your inetd.conf file:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
-d, -v | Send debugging information to the syslog. |
-l | Log information about each ftp session to the syslog. |
-a | Enable use of the ftpaccesss configuration file. |
-A | Disable use of the ftpaccess configuration file. |
-L | Log all commands sent to the ftpd server to the syslog. |
-i | Log all files received to the xferlog. |
-o | Log all files transmitted to the xferlog. |
-u | Specify a default umask. |
gated
[ -c ] [ -C ] [ -n ] [ -N ] [ -t trace_options ] [ -f config_file ] [ trace_file ]
Gated is a routing service that handles a variety of routing protocols. It may be configured to some or all of the protocols that it is capable of handling.
Example: It's a good idea to invoke this command via gdc. But to invoke from the command line as a background process (&), type
gated &
-c | Tell gated to parse the configuration file, report any syntax errors, and exit. |
-C | Tell gated to parse the configuration file for syntax errors. |
-n | Prohibit gated from modifying the kernel forwarding table. |
-N | Tell gated not to run as a daemon. |
-ttrace_options | Allow the user to specify a comma-separated list of trace options on the command line. |
-f config_file | Specify a nondefault configuration file. |
gdc
[ -q ] [ -n ] [ -c coresize ] [ -f filesize ] [ -m datasize ] [ -s stacksize ] [ -t seconds ] command
This command is the gated controller, a user interface for controlling the gated routing daemon. You can use it to stop, start, signal, maintain configuration files, and generate or maintain core dumps.
Example: To invoke gated and send all output to the system log, use
gdc -q start
In order for these controls to take effect, you must start gated with gdc. |
-n | Do not check the kernel forwarding table. |
-q | Log any output to the system log (quiet operation). |
-tseconds | Allow the user to specify how long gdc will wait for gated to complete startup, shutdown, and other operations. |
-ccoresize | Specify an upper limit on the size of core dumps that may be generated by gated. Typically used to increase the system default when it is too small to be useful. |
-ffilesize | Specify a maximum file size that a gated started with gdc can produce. |
-mdatasize | Specify an upper limit on the size of the data segment of a gated started with gdc. |
-sstacksize | Specify the maximum size of a stack of a gated started by gdc. |
The following actions may be specified at the command line:
checkconf | Check /etc/gated.conf for syntax errors. |
checknew | Check /etc/gated.conf+ for syntax errors. |
newconf | Replace /etc/gated.conf with /etc/gated.conf+. |
backout | Move the old configuration file (/etc/gated.conf-) back into place as the current active gated.conf. Also rotate the current /etc/gated.conf to /etc/gated.conf+. |
BACKOUT | Same as backout (above), but will overwrite any existing /etc/gated.conf+. |
modeconf | Set all configuration files to mode 664, owner=root, group=gdmaint. |
createconf | If /etc/gated.conf+ does not exist, create a zero length file with the file mode set to 664, owner=root, group=gdmaint. |
running | Test to see if gated is currently running. |
start | Start gated. |
stop | Stop gated. |
restart | Stop and restart gated. |
rmcore | Delete any gated core dump file. |
rmdump | Delete any gated state dump file. |
rmparse | Delete any parse error file generated by checkconf or checknew. |
/usr/sbin/in.identd
[-i|-w|-b] [-t<seconds>] [-u<uid>] [-g<gid>] [-p<port>] [-a<address>] [-c<charset>] [-C[<key- file>]] [-o] [-e] [-l] [-V] [-m] [-N] [-d] [-F<format>] [kernelfile [kmemfile]]
identd is an implementation of the IDENT user identification protocol. It works by looking up specific TCP/IP connections and returning the user name of the process owning the connection.
Example: This daemon is usually invoked by inetd. To start identd with logging (-l option) and without letting it display operating system information (-o option), add the following line to your inetd.conf file:
auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -o
-i | Use this flag when starting the daemon from inetd with the nowait option. It will make inetd start one identd daemon for each connection request. | |
-w | Use this flag when starting the daemon from inetd with the wait option. It will start a single copy of identd upon receiving the first connection request and handle subsequent requests without having to do the necessary nlist lookup in the kernel file at startup time. This is the preferred mode of operation. | |
-b | Run the daemon in standalone mode without assistance from inetd. | |
-t<seconds> | Tell identd to timeout after the specified number of seconds. | |
-u<uid> | Tell identd to switch to the specified user id number after binding itself to the TCP/IP port when using -b mode of operation. | |
-g<gid> | Tell identd to switch to the specified group id number after binding itself to the TCP/IP port when using -b mode of operation. | |
-p | Specify an alternative port number to bind to when operating in -b mode. | |
-a<address> | Specify the local address to bind the socket to when operating in -b mode. | |
-V | Display version information and exit. | |
-l | Use the system logging daemon. | |
-o | Tell identd not to reveal the operating system it is run on (security feature). | |
-d | Tell identd to return "UNKNOWN-ERROR", rather than "NO-USER" or "INVALID-PORT" errors (security feature). | |
-c | Add the optional character set designator to the reply generated. | |
-C[<keyfile>] | Tell identd to return encrypted tokens, rather than user names. The tokens are created using DES keyed off the first line of the specified keyfile. | |
-n | Tell identd to return user numbers, rather than user names. | |
-N | When this flag is invoked, identd will check for a ".noident" file in the home directory of each user that identd is about to identify. If the file exists, identd will return HIDDEN-USER, rather than user information. | |
-m | Allow multiple requests to be processed per session. | |
-d | Debugging mode. This option violates the protocol and may create security holes. Use with caution. | |
-F<format> | Display information in the specified format. Format is one of | |
| %u | user name |
| %U | user number |
| %g | (primary) group name |
| %G | (primary) group number |
| %l | list of all groups by name |
| %L | list of all groups by number |
| %p | process ID of running process |
| %c | command name |
| %C | command and arguments |
-v | Display verbose output. | |
-f<config-file> | Use the specified configuration file, rather than the default. Currently useless, as there are no configuration files involved. |
/usr/etc/imapd
Supports the IMAP4 remote mail access protocol, typically on port 143.
Example: This daemon is usually invoked by inetd. To start imapd, use
imap stream tcp nowait root /usr/sbin/tcpd imapd
inetd
[-d] [-q queuelength] [configuration file]
Inetd is the "mother" of daemons. It doesn't directly provide any user services, but it calls other daemons that do. Inetd was created because many daemons are needed only occasionally. However, in order to be of use, daemons have to monitor ports for service requests. To do the monitoring, they take up system resources which can be a significant burden if you have a lot of services configured. Inetd alleviates the problem by monitoring the ports for other daemons and calling them as needed. Inetd should be started at boot time by using this command: /etc/rc.local.
Example: To invoke inetd, create a script with the following line:
inetd &
-d | Invoke inetd in debug mode. |
-qqueuelength | Specify the length of a socket listen queue (default 128). |
klogd
[ -c n ] [ -d ] [ -f fname ] [ -iI ] [ -n ] [ -o ] [ -p ] [ -s ] [ -k fname ] [ -v ]
klogd is the kernel log daemon. It intercepts and logs Linux kernel messages.
Example: This daemon is usually invoked by init, perhaps with the following line (and runs it in the background):
klogd &
-c n | Specify the default log level of console messages. |
-d | Displays debug mode. |
-f file | Log to the specified file, rather than syslog. |
-i, -I | Send a signal to the currently executing klogd daemon. |
-n | Do not automatically background. |
-o | Read and log all messages in the kernel message buffers, then exit (one-shot mode). |
-p | Load kernel module symbol information whenever an Oops string is found in the kernel message stream (paranoid mode). |
-s | Use the system call interface to access the kernel message buffers. |
-k file | Use the specified file as the source of kernel symbol information. |
-v | Display version information and exit. |
lpd
[-l] [port#]
lpd is the line printer daemon. It handles the manipulation of spooled files and any actual printing. It gets printer information from printcap. The original invocation listens only for requests; it forks off child processes to handle any requests received.
Example: This daemon is usually invoked by an rc script. To start lpd with logging, put a line such as the following in a script:
lpd -l &
-l | Turn logging of requests on. |
port# | Allow the user to specify an internet port number on the command line, rather than letting the process obtain the port number from getservbyname. |
/usr/sbin/rpc.mountd
[ -f exports-file ] [ -d facility ] [ -P port ] [ -Dhnprv ][ --debug facility ] [ --exports-file=file ] [ --help ][ --allow-non-root ] [ --re-export ] [ --version ]
mountd is the NFS mount daemon. Before exporting a file system, it checks /etc/exports for permission. If the request is approved, it creates a file handle for the requested directory and adds an entry to /etc/rmtab. When unmounting, the entry in /etc/ rmtab is removed.
Example: This daemon is usually invoked via script at boot time with this line:
mountd &
To startd mountd from inetd, add the following two lines to /etc/inetd.conf:
mount/1-2 dgram rpc/udp wait root /usr/sbin/rpc.mountd rpc.mountd
mount/1-2 stream rpc/tcp wait root /usr/sbin/rpc.mountd rpc.mountd
-f or --exports-file | Specify an export file other than the default, /etc/exports. |
-d or --debug | Enable verbose logging of each transaction to standard error. |
-F or --foreground | Run mountd in the foreground. |
-h or --help | Display help information and exit. |
-n or --allow-non-root | Permit mount requests that do not originate from reserved IP ports. |
-Pportnumor --portportnum | Specify a port for inetd to listen on. Typically, the port number is specified in /etc/services. |
-p or --promiscuous | Tell mountd to service any host on the network. |
-r or --re-export | Allow reexport of imported NFS of SMB filesystems. |
-v or --version | Display version information and exit. |
named
[-d debuglevel] [-p port#] [-(b|c) config_file] [-f -q -r][-u user_name] [-g group_name] [-t directory] [-w directory][config_file]
Named is the Internet domain name server. It resolves host names into IP addresses. Named gets configuration information from /etc/named.conf.
Example: This daemon is usually invoked by inetd. To start named with some debugging information, use
named -d 1 &
-ddebuglevel | Specify the level of debugging information. |
-pport# | Tell named to use the specified remote port number. |
-(b|c)config_file | Specify an alternate configuration file (default is /etc/named.conf). |
-f | Tell named to run in the foreground. |
-q | Trace all incoming queries if NAMED has been compiled with QRYLOG defined. |
-r | Allow name resolution only from local (primary or secondary) zones (recursion off). |
-uuser_name | Tell named to run as the specified user after initialization. |
-ggroup_name | Tell named to run as the specified group after initialization. |
-tdirectory | Tell named to chroot into the specified directory after processing any command line arguments. |
-wdirectory | Specify a working directory for the server. |
/usr/sbin/rpc.nfsd
[ -f exports-file ] [ -d facility ] [ -P port ] [ -R dirname ][ -Fhlnprstv ] [ --debug facility ] [ --exports-file=file ][ --foreground ] [ --help ] [ --allow-non-root ] [ --re-export ][ --public-root dirname ] [ --port port ] [ --log-transfers ][ --version ] [ numservers ]
The nfsd program is an NFS service daemon that handles client filesystem requests.
Example: This daemon is usually started at system boot time. To start nfsd form with re-exported of filesystems that have themselves been imported (-r option), add the following line to a script:
nfsd -r &
-f or --exports-file | Tell nfsd to use the specified exports file. |
-d facility or --debug facility | Enable verbose debugging. |
-F or --foreground | Tell nfsd to run in the foreground. |
-h or --help | Display help information and exit. |
-l or --log-transfers | Attempt to log all files transferred by the NFS server. |
-n or --allow-non-root | Permit servicing of NFS requests that do not originate from reserved IP ports. |
-P portnum or --port portnum | Tell nfsd to listen on the specified port, rather than port 2049. |
-p or --promiscuous | Allow nfsd to serve any host on the network. |
-r or --re-export | Allow filesystems that have themselves been remotely mounted on the host system to be re-exported. |
-R or --public-root | Specify the directory associated with the public file handle. |
-v or --version | Display version information. |
pppd
[ tty_name ] [ speed ] [ options ]
pppd is the point-to-point protocol daemon. PPP is a method for transmitting datagrams over serial connections.
Example: To start pppd on tty10 with baud rate 14400, use
pppd tty10 14400
<tty_name> | Specifies a tty to use for communication (may be /dev/<something>). |
<speed> | Specify a baud rate for data transfer. |
active-filter filter-expression | Specify a packet filter used to determine which packets are link activity. |
asyncmap <map> | Set the async character to <map>. |
Auth | Require authentication before transmitting packets. |
callname | Read options from the file /etc/ppp/peers/name. |
connect script | Use the specified executable or shell command to set up the serial line. |
Crtscts | Tell pppd to use hardware flow control to control the flow of data on the serial port. |
Defaultroute | Add a default route to the system routing tables, using the peer as the gateway, when IPCP negotiation is completed. |
disconnect scrip | Run the specified script when pppd closes the link. |
escape xx,yy,... | Escape the specified list of characters when transmitting. Characters are specified as a comma-separated list of hexadecimal codes. |
file name | Read command line options from the specified file. |
Lock | Tell pppd to create a uucp-style lock file for the serial device to ensure exclusive access. |
mru n | Specify a Maximum Receive Unit (MRU) of n. The MRU value is the upper limit on the size of packets received. |
mtu n | Specify a Maximum Receive Unit (MRU) of n. The MRU value is the upper limit on the size of packets transmitted. |
passive | Allow pppd to passively wait for a connection. |
<local_IP_address>: <remote_IP_address> | Specify the local or remote interface IP addresses. |
chap-interval n | Rechallenge the peer every n seconds. |
chap-max-challenge n | Specify an upper limit on the number of challenges. |
chap-restart n | Specify retransmission interval for challenges of n seconds. |
Debug | Enable connection debugging. |
default-asyncmap | Disable asyncmap negotiation. |
default-mru | Disable Maximum Receive Unit negotiation. |
demand | Tell ppp to initiate the link only on demand. |
domaind | Append the domain name "d" to the local host name for authentication purposes. |
holdoffn | Specify the number of seconds to wait before re-initialization after a link is terminated. |
idlen | Tell pppd to disconnect if the link is idle for n seconds. |
ipcp-accept-local | Tell pppd to accept the peer's idea of the local IP address. |
ipcp-accept-remote | Tell pppd to accept the peer's ide of its remote IP address. |
ipcp-max-configuren | Set the maximum number of IPCP configure-request transmissions to n (default is 10). |
ipx | Enable the IPXCP and IPX protocols. |
ipx-networkn | Set the IPX network number in the IPXCP configure request frame to n, a hexadecimal number (without a leading 0x). |
ipx-noden:m | Set the IPX node numbers (local:peer). |
ipx-router-name <string> | Specify the name of the IPX router. |
kdebugn | Enable debugging code in the kernel-level PPP driver. The argument n is a number that is the sum of the following values: 1 to enable general debug messages, 2 to request that the contents of received packets be printed, and 4 to request that the contents of transmitted packets be printed. |
lcp-echo-failuren | Instruct pppd to presume the peer is dead when n LCP echo requests are sent without receiving a valid LCP echo reply. |
lcp-echo-intervaln | Tell pppd to send an LCP echo request every n seconds. |
lcp-max-configuren | Set the maximum number of LCP configure-request transmissions to n (default is 10). |
lcp-max-terminaten | Specify a maximum number of LCP terminate-request transmissions. |
lcp-restartn | Specify an LCP restart interval. |
Local | Do not use the modem control lines. |
Login | Use the system password database for authenticating the peer using PAP, and record the user in the system wtmp file. |
maxconnectn | Terminate the connection after the specified number of seconds. |
Modem | Tell pppd to use the modem control lines (default). |
ms-dns <addr> | Allow pppd to supply a Microsoft Domain Name Server address to clients. |
ms-wins <addr> | Allow pppd to supply a Windows Internet Name Server address to clients. |
name name | Specify a local system name (for authentication purposes). |
netmaskn | Specify an IP netmask of n. |
noaccomp | Disable any use of Address/Control compression. |
noauth | Do not require peer authentication. |
nobsdcomp | Disable any use of BSD-Compress compression. |
noccp | Disable any use of Compression Control Protocol (CCP). |
nocrtscts | Disable hardware flow control over the serial port. |
nodefaultroute | Disable the default route option. |
nodeflate | Disable any use of deflate compression. |
nodetach | Do not detach from the controlling terminal. |
noip | Disable IPCP negotiation and IP communication. |
noipx | Disable the IPXCP and IPX protocols. |
nomagic | Disable magic number negotiation. |
nopcomp | Disable protocol field compression negotiation. |
nopersist | Exit immediately when a connection terminates. |
nopredictor1 | Do not accept or agree to Predictor-1 compression. |
noproxyarp | Disable proxyarp. |
pass-filter filter-expression | Specify a packet filter to apply to data packets in order to determine which packets will be allowed to pass. |
persist | Try to re-open a terminated connection, rather than exiting. |
predictor1 | Compress frames using Predictor-1 compression. |
refuse-chap | Do not allow authentication with CHAP. |
refuse-pap | Do not allow authentication with PAP. |
require-chap | Require the peer to authenticate itself by using Challenge Handshake Authentication Protocol (CHAP) authentication. |
require-pap | Require the peer to authenticate itself using Password Authentication Protocol (PAP) authentication. |
silent | Do not transmit LCP packets to initiate a connection. |
usehostname | Force the use of the specified hostname as the local system name. |
user name | Specify a user name to be used for authenticating on the peer. |
vj-max-slots n | TCP/IP header compression and decompression code to n, where 2 < = n < = 16. Specify the number of connection slots to be used by the Van Jacobson. |
xonxoff | Use software flow control to control the flow of data on the serial port. |
rexecd
Rexecd is the remote execution server. It provides remote program execution capabilities with name/password authentication.
Example: This command has no options. To start rexecd, use
rexecd
rlogind
[-ahlLn]
This program is the server for the rlogin program. It provides remote login access based on privileged port numbers from trusted hosts. As the use of this daemon can be something of a security hole, you should configure and use it with caution.
Example: To start rlogind, allowing use of the .rhosts file for access control (-h option), add the following line to your inetd.conf file:
login stream tcp nowait root /usr/sbin/tcpd in.rlogind
-a | Ask the host for verification. |
-h | Allow use of superuser ".rhosts" files. |
-l | Do not allow authentication base on the user's .rhosts file. |
-L | Do not allow authentication base on .rhosts hosts.equiv files. |
-n | Disable keep-alive messages. |
rshd
[-ahlnL]
This program is the server for the rcmd and rsh programs. It provides remote execution capabilities with authentication based on privileged port numbers for trusted hosts. Obviously, the use of this daemon can constitute a huge security hole. Configure and use it with caution.
Example: To start rshd with logging (-L), add the following line to your inetd.conf file:
shell stream tcp nowait root /usr/sbin/tcpd in.rshd -L
-l | Prevents authentication based on the user's .rhosts file. |
-h | If user is superuser, this option may override the -l option and allow authentication based on .rhosts file. |
-n | Disable transport-level keep alive messages. |
-L | Log all successful accesses to syslogd as auth.info messages. |
rwhod
[-bpa]
Rwhod maintains the database used by rwho and ruptime.
Example: To start rwhod allowing both broadcast and point-to-point interfaces, use
rwhod -a
-b | Use only broadcast interfaces (e.g., ethernets). |
-p | Use only point to point interfaces. |
-a | Use all interfaces. |
syslogd
[ -d ] [ -f config file ] [ -h ] [ -l hostlist ] [ -m interval ] [ -n ][ -p socket ] [ -r ] [ -s domainlist ] [ -v ]
This program provides facilities for logging and kernel message trapping. Logging may be either local or remote.
Example: This daemon is usually invoked at boot time by one or another of the rc scripts. To start syslogd with timestamping at 20-minute intervals (-m option), use
syslogd -m &
-d | Run in debug mode. |
-fconfig file | Specify an alternate configuration file. |
-h | Allow syslogd to forward any remote messages to defined forwarding hosts. |
-lhostlist | Specify a host that should be logged only by hostname, rather than by a fully qualified domain name. |
-minterval | Mark timestamps to the system log at regular intervals. |
-n | Do not auto background. |
-psocket | Specify an alternate UNIX domain socket, rather than /dev/log. |
-r | Allow syslogd to receive messages from the network via an Internet domain socket. |
-sdomainlist | Specify domain names to be stripped off before logging. |
-v | Display version information and exit. |
talkd
This daemon is the program that notifies user B that user A wants to have a conversation via talk.
Example: This command has no options. Talkd is usually started by inetd, which uses tcpd to do the actual invocation. To start talkd, add the following line to your inetd.conf file:
talk dgram udp wait root /usr/sbin/tcpd in.talkd
tcpd
This daemon is used to provide access control and logging for standard TCP/IP services. It monitors incoming requests for telnet, finger, ftp, exec, rsh, rlogin, tftp, talk, comsat, etc., and services their requests, logging and booting people out as necessary. Inetd uses this program to invoke other tcp daemons.
Example: This daemon is usually invoked by inetd. To use tcpd to invoke ftpd, add the following line to your inetd.conf file:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
/usr/sbin/in.telnetd
[-hns] [-a authmode] [-D debugmode] [-L loginprg] [-S tos][-X authtype] [-edebug] [-debug port]
Telnetd is the daemon that services telnet requests.
Example: This daemon is usually invoked by inetd. To start telnetd, use
telnetd &
-a authmode | Specify the authentication mode. |
debug | Turns on authentication debugging code. |
user | Only allows connections when the remote user can provide user authentication information. |
valid | Only allows connections when the remote user can provide user authentication information. |
other | Equivalent to "valid". |
none | Does not require authentication. |
off | Disables the authentication code. |
-D debugmode | Specify one of the following debug modes: |
options | Prints information about the negotiation of telnetoptions. |
report | Prints the options information, plus some additional information about what processing is going on. |
netdata | Displays the data stream received by telnetd. |
ptydata | Displays data written to the pty. |
exercise | Has not been implemented yet. |
-edebug | Enable encryption debugging code. |
-h | Disable printing of host information until the login verification is completed. |
-L loginprg | Specify a login program other than the default. |
-n | Disable TCP keep alives. |
-s | Allow only SecurID logins. |
-S tos | Set type of service to tos. |
-X authtype | Disable the use of the specified type of authentication. |
tftpd
[directory ]
This command supports the trivial file transfer protocol.
Example: This daemon is usually invoked by inetd. To start tftpd, use
tftpd &
rpc.yppasswdd
[-D directory] [-e chsh|chfn]
rpc.yppasswdd
[-s shadow] [-p passwd] [-e chsh|chfn]
When using NIS, change passwords across the network with yppasswd. Yppasswdd is the server daemon.
Example: To start yppasswdd, use
yppasswdd &
-Ddirectory | Specify a directory where the passwd and shadow passwd files may be found. |
-ppasswdfile | Tell rpc.yppasswdd to use a source file other than /etc/passwd. |
-sshadowfile | Tell rpc.yppasswdd to use a source file other than /etc/passwd. |
-e [chsh|chfn] | Enable users to change either their shell or GECOS field. |
-v --version | Display version information and exit. |
-m | No effect. Included for compatibility. |