xref: /freebsd/crypto/heimdal/appl/rsh/rsh.1 (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1.\" Copyright (c) 2002 - 2003 Kungliga Tekniska H�gskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\"	$Id: rsh.1,v 1.6 2003/04/16 19:57:25 lha Exp $
33.\"
34.Dd September 4, 2002
35.Dt RSH 1
36.Os HEIMDAL
37.Sh NAME
38.Nm rsh
39.Nd
40remote shell
41.Sh SYNOPSIS
42.Nm
43.Op Fl 45FGKdefnuxz
44.Op Fl U Pa string
45.Op Fl p Ar port
46.Op Fl l Ar username
47.Op Fl P Ar N|O
48.Ar host [command]
49.Sh DESCRIPTION
50.Nm
51authenticates to the
52.Xr rshd 8
53daemon on the remote
54.Ar host ,
55and then executes the specified
56.Ar command .
57.Pp
58.Nm
59copies its standard input to the remote command, and the standard
60output and error of the remote command to its own.
61.Pp
62Valid options are:
63.Bl -tag -width Ds
64.It Xo
65.Fl 4 ,
66.Fl -krb4
67.Xc
68The
69.Fl 4
70option requests Kerberos 4 authentication. Normally all supported
71authentication mechanisms will be tried, but in some cases more
72explicit control is desired.
73.It Xo
74.Fl 5 ,
75.Fl -krb5
76.Xc
77The
78.Fl 5
79option requests Kerberos 5 authentication. This is analogous to the
80.Fl 4
81option.
82.It Xo
83.Fl K ,
84.Fl -broken
85.Xc
86The
87.Fl K
88option turns off all Kerberos authentication. The long name implies
89that this is more or less totally unsecure. The security in this mode
90relies on reserved ports, which is not very secure.
91.It Xo
92.Fl n ,
93.Fl -no-input
94.Xc
95The
96.Fl n
97option directs the input from the
98.Pa /dev/null
99device (see the
100.Sx BUGS
101section of this manual page).
102.It Xo
103.Fl e ,
104.Fl -no-stderr
105.Xc
106Don't use a separate socket for the stderr stream. This can be
107necessary if rsh-ing through a NAT bridge.
108.It Xo
109.Fl x ,
110.Fl -encrypt
111.Xc
112The
113.Fl x
114option enables encryption for all data exchange. This is only valid
115for Kerberos authenticated connections (see the
116.Sx BUGS
117section for limitations).
118.It Xo
119.Fl z
120.Xc
121The opposite of
122.Fl x .
123This is the default, but encryption can be enabled when using
124Kerberos 5, by setting the
125.Li libdefaults/encrypt
126option in
127.Xr krb5.conf 5 .
128.It Xo
129.Fl f ,
130.Fl -forward
131.Xc
132Forward Kerberos 5 credentials to the remote host. Also controlled by
133.Li libdefaults/forward
134in
135.Xr krb5.conf 5 .
136.It Xo
137.Fl G
138.Xc
139The opposite of
140.Fl f .
141.It Xo
142.Fl F ,
143.Fl -forwardable
144.Xc
145Make the forwarded credentials re-forwardable. Also controlled by
146.Li libdefaults/forwardable
147in
148.Xr krb5.conf 5 .
149.It Xo
150.Fl u ,
151.Fl -unique
152.Xc
153Make sure the remote credentials cache is unique, that is, don't reuse
154any existing cache. Mutually exclusive to
155.Fl U .
156.It Xo
157.Fl U Pa string ,
158.Fl -tkfile= Ns Pa string
159.Xc
160Name of the remote credentials cache. Mutually exclusive to
161.Fl u .
162.It Xo
163.Fl p Ar number-or-service ,
164.Fl -port= Ns Ar number-or-service
165.Xc
166Connect to this port instead of the default (which is 514 when using
167old port based authentication, 544 for Kerberos 5 and non-encrypted
168Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
169the contents of
170.Pa /etc/services ) .
171.It Xo
172.Fl l Ar string ,
173.Fl -user= Ns Ar string
174.Xc
175By default the remote username is the same as the local. The
176.Fl l
177option or the
178.Pa username@host
179format allow the remote name to be specified.
180.It Xo
181.Fl P Ar N|O|1|2 ,
182.Fl -protocol= Ns Ar N|O|1|2
183.Xc
184Specifies which protocol version to use with Kerberos 5.
185.Ar N
186and
187.Ar 2
188selects protocol version 2, while
189.Ar O
190and
191.Ar 1
192selects version 1. Version 2 is believed to be more secure, and is the
193default. Unless asked for a specific version,
194.Nm
195will try both.  This behaviour may change in the future.
196.El
197.\".Pp
198.\"Without a
199.\".Ar command
200.\".Nm
201.\"will just exec
202.\".Xr rlogin 1
203.\"with the same arguments.
204.Sh EXAMPLES
205Care should be taken when issuing commands containing shell meta
206characters. Without quoting, these will be expanded on the local
207machine.
208.Pp
209The following command:
210.Pp
211.Dl rsh otherhost cat remotefile > localfile
212.Pp
213will write the contents of the remote
214.Pa remotefile
215to the local
216.Pa localfile ,
217but:
218.Pp
219.Dl rsh otherhost 'cat remotefile > remotefile2'
220.Pp
221will write it to the remote
222.Pa remotefile2 .
223.\".Sh ENVIRONMENT
224.Sh FILES
225.Bl -tag -width /etc/hosts -compact
226.It Pa /etc/hosts
227.El
228.\".Sh DIAGNOSTICS
229.Sh SEE ALSO
230.Xr rlogin 1 ,
231.Xr krb_realmofhost 3 ,
232.Xr krb_sendauth 3 ,
233.Xr hosts.equiv 5 ,
234.Xr krb5.conf 5 ,
235.Xr rhosts 5 ,
236.Xr kerberos 8
237.Xr rshd 8
238.\".Sh STANDARDS
239.Sh HISTORY
240The
241.Nm
242command appeared in
243.Bx 4.2 .
244.Sh AUTHORS
245This implementation of
246.Nm
247was written as part of the Heimdal Kerberos 5 implementation.
248.Sh BUGS
249Some shells (notably
250.Xr csh 1 )
251will cause
252.Nm
253to block if run in the background, unless the standard input is directed away from the terminal. This is what the
254.Fl n
255option is for.
256.Pp
257The
258.Fl x
259options enables encryption for the session, but for both Kerberos 4
260and 5 the actual command is sent unencrypted, so you should not send
261any secret information in the command line (which is probably a bad
262idea anyway, since the command line can usually be read with tools
263like
264.Xr ps 1 ) .
265Forthermore in Kerberos 4 the command is not even integrity
266protected, so anyone with the right tools can modify the command.
267