1.\" $Id: rsh.1,v 1.4 2002/09/04 13:01:52 joda Exp $ 2.\" 3.Dd September 4, 2002 4.Dt RSH 1 5.Os HEIMDAL 6.Sh NAME 7.Nm rsh 8.Nd 9remote shell 10.Sh SYNOPSIS 11.Nm 12.Op Fl 45FGKdefnuxz 13.Op Fl U Pa string 14.Op Fl p Ar port 15.Op Fl l Ar username 16.Op Fl P Ar N|O 17.Ar host [command] 18.Sh DESCRIPTION 19.Nm 20authenticates to the 21.Xr rshd 8 22daemon on the remote 23.Ar host , 24and then executes the specified 25.Ar command . 26.Pp 27.Nm 28copies its standard input to the remote command, and the standard 29output and error of the remote command to its own. 30.Pp 31Valid options are: 32.Bl -tag -width Ds 33.It Xo 34.Fl 4 , 35.Fl -krb4 36.Xc 37The 38.Fl 4 39option requests Kerberos 4 authentication. Normally all supported 40authentication mechanisms will be tried, but in some cases more 41explicit control is desired. 42.It Xo 43.Fl 5 , 44.Fl -krb5 45.Xc 46The 47.Fl 5 48option requests Kerberos 5 authentication. This is analogous to the 49.Fl 4 50option. 51.It Xo 52.Fl K , 53.Fl -broken 54.Xc 55The 56.Fl K 57option turns off all Kerberos authentication. The long name implies 58that this is more or less totally unsecure. The security in this mode 59relies on reserved ports, which is not very secure. 60.It Xo 61.Fl n , 62.Fl -no-input 63.Xc 64The 65.Fl n 66option directs the input from the 67.Pa /dev/null 68device (see the 69.Sx BUGS 70section of this manual page). 71.It Xo 72.Fl e , 73.Fl -no-stderr 74.Xc 75Don't use a separate socket for the stderr stream. This can be 76necessary if rsh-ing through a NAT bridge. 77.It Xo 78.Fl x , 79.Fl -encrypt 80.Xc 81The 82.Fl x 83option enables encryption for all data exchange. This is only valid 84for Kerberos authenticated connections (see the 85.Sx BUGS 86section for limitations). 87.It Xo 88.Fl z 89.Xc 90The opposite of 91.Fl x . 92This is the default, but encryption can be enabled when using 93Kerberos 5, by setting the 94.Li libdefaults/encrypt 95option in 96.Xr krb5.conf 5 . 97.It Xo 98.Fl f , 99.Fl -forward 100.Xc 101Forward Kerberos 5 credentials to the remote host. Also controlled by 102.Li libdefaults/forward 103in 104.Xr krb5.conf 5 . 105.It Xo 106.Fl G 107.Xc 108The opposite of 109.Fl f . 110.It Xo 111.Fl F , 112.Fl -forwardable 113.Xc 114Make the forwarded credentials re-forwardable. Also controlled by 115.Li libdefaults/forwardable 116in 117.Xr krb5.conf 5 . 118.It Xo 119.Fl u , 120.Fl -unique 121.Xc 122Make sure the remote credentials cache is unique, that is, don't reuse 123any existing cache. Mutually exclusive to 124.Fl U . 125.It Xo 126.Fl U Pa string , 127.Fl -tkfile= Ns Pa string 128.Xc 129Name of the remote credentials cache. Mutually exclusive to 130.Fl u . 131.It Xo 132.Fl p Ar number-or-service , 133.Fl -port= Ns Ar number-or-service 134.Xc 135Connect to this port instead of the default (which is 514 when using 136old port based authentication, 544 for Kerberos 5 and non-encrypted 137Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to 138the contents of 139.Pa /etc/services ) . 140.It Xo 141.Fl l Ar string , 142.Fl -user= Ns Ar string 143.Xc 144By default the remote username is the same as the local. The 145.Fl l 146option or the 147.Pa username@host 148format allow the remote name to be specified. 149.It Xo 150.Fl P Ar N|O|1|2 , 151.Fl -protocol= Ns Ar N|O|1|2 152.Xc 153Specifies which protocol version to use with Kerberos 5. 154.Ar N 155and 156.Ar 2 157selects protocol version 2, while 158.Ar O 159and 160.Ar 1 161selects version 1. Version 2 is beleived to be more secure, and is the 162default. Unless asked for a specific version, 163.Nm 164will try both. This behaviour may change in the future. 165.El 166.\".Pp 167.\"Without a 168.\".Ar command 169.\".Nm 170.\"will just exec 171.\".Xr rlogin 1 172.\"with the same arguments. 173.Sh EXAMPLES 174Care should be taken when issuing commands containing shell meta 175characters. Without quoting, these will be expanded on the local 176machine. 177.Pp 178The following command: 179.Pp 180.Dl rsh otherhost cat remotefile > localfile 181.Pp 182will write the contents of the remote 183.Pa remotefile 184to the local 185.Pa localfile , 186but: 187.Pp 188.Dl rsh otherhost 'cat remotefile > remotefile2' 189.Pp 190will write it to the remote 191.Pa remotefile2 . 192.\".Sh ENVIRONMENT 193.Sh FILES 194.Bl -tag -width /etc/hosts -compact 195.It Pa /etc/hosts 196.El 197.\".Sh DIAGNOSTICS 198.Sh SEE ALSO 199.Xr rlogin 1 , 200.Xr krb_realmofhost 3 , 201.Xr krb_sendauth 3 , 202.Xr hosts.equiv 5 , 203.Xr krb5.conf 5 , 204.Xr rhosts 5 , 205.Xr kerberos 8 206.Xr rshd 8 207.\".Sh STANDARDS 208.Sh HISTORY 209The 210.Nm 211command appeared in 212.Bx 4.2 . 213.Sh AUTHORS 214This implementation of 215.Nm 216was written as part of the Heimdal Kerberos 5 implementation. 217.Sh BUGS 218Some shells (notably 219.Xr csh 1 ) 220will cause 221.Nm 222to block if run in the background, unless the standard input is directed away from the terminal. This is what the 223.Fl n 224option is for. 225.Pp 226The 227.Fl x 228options enables encryption for the session, but for both Kerberos 4 229and 5 the actual command is sent unencrypted, so you should not send 230any secret information in the command line (which is probably a bad 231idea anyway, since the command line can usually be read with tools 232like 233.Xr ps 1 ) . 234Forthermore in Kerberos 4 the command is not even integrity 235protected, so anyone with the right tools can modify the command. 236