10cadf2f4SJacques Vidrine.\" $Id: rsh.1,v 1.4 2002/09/04 13:01:52 joda Exp $ 24137ff4cSJacques Vidrine.\" 30cadf2f4SJacques Vidrine.Dd September 4, 2002 44137ff4cSJacques Vidrine.Dt RSH 1 54137ff4cSJacques Vidrine.Os HEIMDAL 64137ff4cSJacques Vidrine.Sh NAME 74137ff4cSJacques Vidrine.Nm rsh 84137ff4cSJacques Vidrine.Nd 94137ff4cSJacques Vidrineremote shell 104137ff4cSJacques Vidrine.Sh SYNOPSIS 114137ff4cSJacques Vidrine.Nm 124137ff4cSJacques Vidrine.Op Fl 45FGKdefnuxz 134137ff4cSJacques Vidrine.Op Fl U Pa string 144137ff4cSJacques Vidrine.Op Fl p Ar port 154137ff4cSJacques Vidrine.Op Fl l Ar username 160cadf2f4SJacques Vidrine.Op Fl P Ar N|O 174137ff4cSJacques Vidrine.Ar host [command] 184137ff4cSJacques Vidrine.Sh DESCRIPTION 194137ff4cSJacques Vidrine.Nm 204137ff4cSJacques Vidrineauthenticates to the 214137ff4cSJacques Vidrine.Xr rshd 8 224137ff4cSJacques Vidrinedaemon on the remote 234137ff4cSJacques Vidrine.Ar host , 244137ff4cSJacques Vidrineand then executes the specified 254137ff4cSJacques Vidrine.Ar command . 264137ff4cSJacques Vidrine.Pp 274137ff4cSJacques Vidrine.Nm 284137ff4cSJacques Vidrinecopies its standard input to the remote command, and the standard 294137ff4cSJacques Vidrineoutput and error of the remote command to its own. 304137ff4cSJacques Vidrine.Pp 314137ff4cSJacques VidrineValid options are: 324137ff4cSJacques Vidrine.Bl -tag -width Ds 334137ff4cSJacques Vidrine.It Xo 348373020dSJacques Vidrine.Fl 4 , 354137ff4cSJacques Vidrine.Fl -krb4 364137ff4cSJacques Vidrine.Xc 374137ff4cSJacques VidrineThe 384137ff4cSJacques Vidrine.Fl 4 394137ff4cSJacques Vidrineoption requests Kerberos 4 authentication. Normally all supported 404137ff4cSJacques Vidrineauthentication mechanisms will be tried, but in some cases more 414137ff4cSJacques Vidrineexplicit control is desired. 424137ff4cSJacques Vidrine.It Xo 438373020dSJacques Vidrine.Fl 5 , 444137ff4cSJacques Vidrine.Fl -krb5 454137ff4cSJacques Vidrine.Xc 464137ff4cSJacques VidrineThe 474137ff4cSJacques Vidrine.Fl 5 484137ff4cSJacques Vidrineoption requests Kerberos 5 authentication. This is analogous to the 494137ff4cSJacques Vidrine.Fl 4 504137ff4cSJacques Vidrineoption. 514137ff4cSJacques Vidrine.It Xo 528373020dSJacques Vidrine.Fl K , 534137ff4cSJacques Vidrine.Fl -broken 544137ff4cSJacques Vidrine.Xc 554137ff4cSJacques VidrineThe 564137ff4cSJacques Vidrine.Fl K 574137ff4cSJacques Vidrineoption turns off all Kerberos authentication. The long name implies 584137ff4cSJacques Vidrinethat this is more or less totally unsecure. The security in this mode 594137ff4cSJacques Vidrinerelies on reserved ports, which is not very secure. 604137ff4cSJacques Vidrine.It Xo 618373020dSJacques Vidrine.Fl n , 624137ff4cSJacques Vidrine.Fl -no-input 634137ff4cSJacques Vidrine.Xc 644137ff4cSJacques VidrineThe 654137ff4cSJacques Vidrine.Fl n 664137ff4cSJacques Vidrineoption directs the input from the 674137ff4cSJacques Vidrine.Pa /dev/null 684137ff4cSJacques Vidrinedevice (see the 694137ff4cSJacques Vidrine.Sx BUGS 704137ff4cSJacques Vidrinesection of this manual page). 714137ff4cSJacques Vidrine.It Xo 728373020dSJacques Vidrine.Fl e , 734137ff4cSJacques Vidrine.Fl -no-stderr 744137ff4cSJacques Vidrine.Xc 754137ff4cSJacques VidrineDon't use a separate socket for the stderr stream. This can be 764137ff4cSJacques Vidrinenecessary if rsh-ing through a NAT bridge. 774137ff4cSJacques Vidrine.It Xo 788373020dSJacques Vidrine.Fl x , 794137ff4cSJacques Vidrine.Fl -encrypt 804137ff4cSJacques Vidrine.Xc 814137ff4cSJacques VidrineThe 824137ff4cSJacques Vidrine.Fl x 834137ff4cSJacques Vidrineoption enables encryption for all data exchange. This is only valid 844137ff4cSJacques Vidrinefor Kerberos authenticated connections (see the 854137ff4cSJacques Vidrine.Sx BUGS 864137ff4cSJacques Vidrinesection for limitations). 874137ff4cSJacques Vidrine.It Xo 884137ff4cSJacques Vidrine.Fl z 894137ff4cSJacques Vidrine.Xc 904137ff4cSJacques VidrineThe opposite of 914137ff4cSJacques Vidrine.Fl x . 924137ff4cSJacques VidrineThis is the default, but encryption can be enabled when using 934137ff4cSJacques VidrineKerberos 5, by setting the 944137ff4cSJacques Vidrine.Li libdefaults/encrypt 954137ff4cSJacques Vidrineoption in 964137ff4cSJacques Vidrine.Xr krb5.conf 5 . 974137ff4cSJacques Vidrine.It Xo 988373020dSJacques Vidrine.Fl f , 994137ff4cSJacques Vidrine.Fl -forward 1004137ff4cSJacques Vidrine.Xc 1014137ff4cSJacques VidrineForward Kerberos 5 credentials to the remote host. Also controlled by 1024137ff4cSJacques Vidrine.Li libdefaults/forward 1034137ff4cSJacques Vidrinein 1044137ff4cSJacques Vidrine.Xr krb5.conf 5 . 1054137ff4cSJacques Vidrine.It Xo 1064137ff4cSJacques Vidrine.Fl G 1074137ff4cSJacques Vidrine.Xc 1084137ff4cSJacques VidrineThe opposite of 1094137ff4cSJacques Vidrine.Fl f . 1104137ff4cSJacques Vidrine.It Xo 1118373020dSJacques Vidrine.Fl F , 1124137ff4cSJacques Vidrine.Fl -forwardable 1134137ff4cSJacques Vidrine.Xc 1144137ff4cSJacques VidrineMake the forwarded credentials re-forwardable. Also controlled by 1154137ff4cSJacques Vidrine.Li libdefaults/forwardable 1164137ff4cSJacques Vidrinein 1174137ff4cSJacques Vidrine.Xr krb5.conf 5 . 1184137ff4cSJacques Vidrine.It Xo 1198373020dSJacques Vidrine.Fl u , 1204137ff4cSJacques Vidrine.Fl -unique 1214137ff4cSJacques Vidrine.Xc 1224137ff4cSJacques VidrineMake sure the remote credentials cache is unique, that is, don't reuse 1234137ff4cSJacques Vidrineany existing cache. Mutually exclusive to 1244137ff4cSJacques Vidrine.Fl U . 1254137ff4cSJacques Vidrine.It Xo 1268373020dSJacques Vidrine.Fl U Pa string , 1274137ff4cSJacques Vidrine.Fl -tkfile= Ns Pa string 1284137ff4cSJacques Vidrine.Xc 1294137ff4cSJacques VidrineName of the remote credentials cache. Mutually exclusive to 1304137ff4cSJacques Vidrine.Fl u . 1314137ff4cSJacques Vidrine.It Xo 1328373020dSJacques Vidrine.Fl p Ar number-or-service , 1334137ff4cSJacques Vidrine.Fl -port= Ns Ar number-or-service 1344137ff4cSJacques Vidrine.Xc 1354137ff4cSJacques VidrineConnect to this port instead of the default (which is 514 when using 1364137ff4cSJacques Vidrineold port based authentication, 544 for Kerberos 5 and non-encrypted 1374137ff4cSJacques VidrineKerberos 4, and 545 for encrytpted Kerberos 4; subject of course to 1384137ff4cSJacques Vidrinethe contents of 1394137ff4cSJacques Vidrine.Pa /etc/services ) . 1404137ff4cSJacques Vidrine.It Xo 1418373020dSJacques Vidrine.Fl l Ar string , 1424137ff4cSJacques Vidrine.Fl -user= Ns Ar string 1434137ff4cSJacques Vidrine.Xc 1444137ff4cSJacques VidrineBy default the remote username is the same as the local. The 1454137ff4cSJacques Vidrine.Fl l 1464137ff4cSJacques Vidrineoption or the 1474137ff4cSJacques Vidrine.Pa username@host 1484137ff4cSJacques Vidrineformat allow the remote name to be specified. 1490cadf2f4SJacques Vidrine.It Xo 1500cadf2f4SJacques Vidrine.Fl P Ar N|O|1|2 , 1510cadf2f4SJacques Vidrine.Fl -protocol= Ns Ar N|O|1|2 1520cadf2f4SJacques Vidrine.Xc 1530cadf2f4SJacques VidrineSpecifies which protocol version to use with Kerberos 5. 1540cadf2f4SJacques Vidrine.Ar N 1550cadf2f4SJacques Vidrineand 1560cadf2f4SJacques Vidrine.Ar 2 1570cadf2f4SJacques Vidrineselects protocol version 2, while 1580cadf2f4SJacques Vidrine.Ar O 1590cadf2f4SJacques Vidrineand 1600cadf2f4SJacques Vidrine.Ar 1 1610cadf2f4SJacques Vidrineselects version 1. Version 2 is beleived to be more secure, and is the 1620cadf2f4SJacques Vidrinedefault. Unless asked for a specific version, 1630cadf2f4SJacques Vidrine.Nm 1640cadf2f4SJacques Vidrinewill try both. This behaviour may change in the future. 1654137ff4cSJacques Vidrine.El 1664137ff4cSJacques Vidrine.\".Pp 1674137ff4cSJacques Vidrine.\"Without a 1684137ff4cSJacques Vidrine.\".Ar command 1694137ff4cSJacques Vidrine.\".Nm 1704137ff4cSJacques Vidrine.\"will just exec 1714137ff4cSJacques Vidrine.\".Xr rlogin 1 1724137ff4cSJacques Vidrine.\"with the same arguments. 1734137ff4cSJacques Vidrine.Sh EXAMPLES 1744137ff4cSJacques VidrineCare should be taken when issuing commands containing shell meta 1750cadf2f4SJacques Vidrinecharacters. Without quoting, these will be expanded on the local 1764137ff4cSJacques Vidrinemachine. 1774137ff4cSJacques Vidrine.Pp 1784137ff4cSJacques VidrineThe following command: 1794137ff4cSJacques Vidrine.Pp 1804137ff4cSJacques Vidrine.Dl rsh otherhost cat remotefile > localfile 1814137ff4cSJacques Vidrine.Pp 1824137ff4cSJacques Vidrinewill write the contents of the remote 1834137ff4cSJacques Vidrine.Pa remotefile 1844137ff4cSJacques Vidrineto the local 1854137ff4cSJacques Vidrine.Pa localfile , 1864137ff4cSJacques Vidrinebut: 1874137ff4cSJacques Vidrine.Pp 1884137ff4cSJacques Vidrine.Dl rsh otherhost 'cat remotefile > remotefile2' 1894137ff4cSJacques Vidrine.Pp 1904137ff4cSJacques Vidrinewill write it to the remote 1914137ff4cSJacques Vidrine.Pa remotefile2 . 1924137ff4cSJacques Vidrine.\".Sh ENVIRONMENT 1934137ff4cSJacques Vidrine.Sh FILES 1944137ff4cSJacques Vidrine.Bl -tag -width /etc/hosts -compact 1954137ff4cSJacques Vidrine.It Pa /etc/hosts 1964137ff4cSJacques Vidrine.El 1974137ff4cSJacques Vidrine.\".Sh DIAGNOSTICS 1984137ff4cSJacques Vidrine.Sh SEE ALSO 1994137ff4cSJacques Vidrine.Xr rlogin 1 , 2004137ff4cSJacques Vidrine.Xr krb_realmofhost 3 , 2014137ff4cSJacques Vidrine.Xr krb_sendauth 3 , 2024137ff4cSJacques Vidrine.Xr hosts.equiv 5 , 2034137ff4cSJacques Vidrine.Xr krb5.conf 5 , 2044137ff4cSJacques Vidrine.Xr rhosts 5 , 2054137ff4cSJacques Vidrine.Xr kerberos 8 2064137ff4cSJacques Vidrine.Xr rshd 8 2074137ff4cSJacques Vidrine.\".Sh STANDARDS 2084137ff4cSJacques Vidrine.Sh HISTORY 2094137ff4cSJacques VidrineThe 2104137ff4cSJacques Vidrine.Nm 2114137ff4cSJacques Vidrinecommand appeared in 2124137ff4cSJacques Vidrine.Bx 4.2 . 2134137ff4cSJacques Vidrine.Sh AUTHORS 2144137ff4cSJacques VidrineThis implementation of 2154137ff4cSJacques Vidrine.Nm 2164137ff4cSJacques Vidrinewas written as part of the Heimdal Kerberos 5 implementation. 2174137ff4cSJacques Vidrine.Sh BUGS 2184137ff4cSJacques VidrineSome shells (notably 2194137ff4cSJacques Vidrine.Xr csh 1 ) 2204137ff4cSJacques Vidrinewill cause 2214137ff4cSJacques Vidrine.Nm 2224137ff4cSJacques Vidrineto block if run in the background, unless the standard input is directed away from the terminal. This is what the 2234137ff4cSJacques Vidrine.Fl n 2244137ff4cSJacques Vidrineoption is for. 2254137ff4cSJacques Vidrine.Pp 2264137ff4cSJacques VidrineThe 2274137ff4cSJacques Vidrine.Fl x 2284137ff4cSJacques Vidrineoptions enables encryption for the session, but for both Kerberos 4 2294137ff4cSJacques Vidrineand 5 the actual command is sent unencrypted, so you should not send 2304137ff4cSJacques Vidrineany secret information in the command line (which is probably a bad 2314137ff4cSJacques Vidrineidea anyway, since the command line can usually be read with tools 2324137ff4cSJacques Vidrinelike 2334137ff4cSJacques Vidrine.Xr ps 1 ) . 2344137ff4cSJacques VidrineForthermore in Kerberos 4 the command is not even integrity 2354137ff4cSJacques Vidrineprotected, so anyone with the right tools can modify the command. 236