1.\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id$ 33.\" 34.Dd February 20, 2004 35.Dt RSH 1 36.Os HEIMDAL 37.Sh NAME 38.Nm rsh 39.Nd remote shell 40.Sh SYNOPSIS 41.Nm 42.Op Fl 45FGKdefnuxz 43.Op Fl U Pa string 44.Op Fl p Ar port 45.Op Fl l Ar username 46.Op Fl P Ar N|O 47.Ar host [command] 48.Sh DESCRIPTION 49.Nm 50authenticates to the 51.Xr rshd 8 52daemon on the remote 53.Ar host , 54and then executes the specified 55.Ar command . 56.Pp 57.Nm 58copies its standard input to the remote command, and the standard 59output and error of the remote command to its own. 60.Pp 61Valid options are: 62.Bl -tag -width Ds 63.It Xo 64.Fl 4 , 65.Fl Fl krb4 66.Xc 67The 68.Fl 4 69option requests Kerberos 4 authentication. Normally all supported 70authentication mechanisms will be tried, but in some cases more 71explicit control is desired. 72.It Xo 73.Fl 5 , 74.Fl Fl krb5 75.Xc 76The 77.Fl 5 78option requests Kerberos 5 authentication. This is analogous to the 79.Fl 4 80option. 81.It Xo 82.Fl K , 83.Fl Fl broken 84.Xc 85The 86.Fl K 87option turns off all Kerberos authentication. The security in this 88mode relies on reserved ports. The long name is an indication of how 89good this is. 90.It Xo 91.Fl n , 92.Fl Fl no-input 93.Xc 94The 95.Fl n 96option directs the input from the 97.Pa /dev/null 98device (see the 99.Sx BUGS 100section of this manual page). 101.It Fl d 102Enable 103.Xr setsockopt 2 104socket debugging. 105.It Xo 106.Fl e , 107.Fl Fl no-stderr 108.Xc 109Don't use a separate socket for the stderr stream. This can be 110necessary if rsh-ing through a NAT bridge. 111.It Xo 112.Fl x , 113.Fl Fl encrypt 114.Xc 115The 116.Fl x 117option enables encryption for all data exchange. This is only valid 118for Kerberos authenticated connections (see the 119.Sx BUGS 120section for limitations). 121.It Xo 122.Fl z 123.Xc 124The opposite of 125.Fl x . 126This is the default, and is mainly useful if encryption has been 127enabled by default, for instance in the 128.Li appdefaults 129section of 130.Pa /etc/krb5.conf 131when using Kerberos 5. 132.It Xo 133.Fl f , 134.Fl Fl forward 135.Xc 136Forward Kerberos 5 credentials to the remote host. 137Also settable via 138.Li appdefaults 139(see 140.Xr krb5.conf ) . 141.It Xo 142.Fl F , 143.Fl Fl forwardable 144.Xc 145Make the forwarded credentials re-forwardable. 146Also settable via 147.Li appdefaults 148(see 149.Xr krb5.conf ) . 150.It Xo 151.Fl l Ar string , 152.Fl Fl user= Ns Ar string 153.Xc 154By default the remote username is the same as the local. The 155.Fl l 156option or the 157.Pa username@host 158format allow the remote name to be specified. 159.It Xo 160.Fl n , 161.Fl Fl no-input 162.Xc 163Direct input from 164.Pa /dev/null 165(see the 166.Sx BUGS 167section). 168.It Xo 169.Fl p Ar number-or-service , 170.Fl Fl port= Ns Ar number-or-service 171.Xc 172Connect to this port instead of the default (which is 514 when using 173old port based authentication, 544 for Kerberos 5 and non-encrypted 174Kerberos 4, and 545 for encrypted Kerberos 4; subject of course to 175the contents of 176.Pa /etc/services ) . 177.It Xo 178.Fl P Ar N|O|1|2 , 179.Fl Fl protocol= Ns Ar N|O|1|2 180.Xc 181Specifies the protocol version to use with Kerberos 5. 182.Ar N 183and 184.Ar 2 185select protocol version 2, while 186.Ar O 187and 188.Ar 1 189select version 1. Version 2 is believed to be more secure, and is the 190default. Unless asked for a specific version, 191.Nm 192will try both. This behaviour may change in the future. 193.It Xo 194.Fl u , 195.Fl Fl unique 196.Xc 197Make sure the remote credentials cache is unique, that is, don't reuse 198any existing cache. Mutually exclusive to 199.Fl U . 200.It Xo 201.Fl U Pa string , 202.Fl Fl tkfile= Ns Pa string 203.Xc 204Name of the remote credentials cache. Mutually exclusive to 205.Fl u . 206.It Xo 207.Fl x , 208.Fl Fl encrypt 209.Xc 210The 211.Fl x 212option enables encryption for all data exchange. This is only valid 213for Kerberos authenticated connections (see the 214.Sx BUGS 215section for limitations). 216.It Fl z 217The opposite of 218.Fl x . 219This is the default, but encryption can be enabled when using 220Kerberos 5, by setting the 221.Li libdefaults/encrypt 222option in 223.Xr krb5.conf 5 . 224.El 225.\".Pp 226.\"Without a 227.\".Ar command 228.\".Nm 229.\"will just exec 230.\".Xr rlogin 1 231.\"with the same arguments. 232.Sh EXAMPLES 233Care should be taken when issuing commands containing shell meta 234characters. Without quoting, these will be expanded on the local 235machine. 236.Pp 237The following command: 238.Pp 239.Dl rsh otherhost cat remotefile \*[Gt] localfile 240.Pp 241will write the contents of the remote 242.Pa remotefile 243to the local 244.Pa localfile , 245but: 246.Pp 247.Dl rsh otherhost 'cat remotefile \*[Gt] remotefile2' 248.Pp 249will write it to the remote 250.Pa remotefile2 . 251.\".Sh ENVIRONMENT 252.Sh FILES 253.Bl -tag -width /etc/hosts -compact 254.It Pa /etc/hosts 255.El 256.\".Sh DIAGNOSTICS 257.Sh SEE ALSO 258.Xr rlogin 1 , 259.Xr krb_realmofhost 3 , 260.Xr krb_sendauth 3 , 261.Xr hosts.equiv 5 , 262.Xr krb5.conf 5 , 263.Xr rhosts 5 , 264.Xr kerberos 8 265.Xr rshd 8 266.\".Sh STANDARDS 267.Sh HISTORY 268The 269.Nm 270command appeared in 271.Bx 4.2 . 272.Sh AUTHORS 273This implementation of 274.Nm 275was written as part of the Heimdal Kerberos 5 implementation. 276.Sh BUGS 277Some shells (notably 278.Xr csh 1 ) 279will cause 280.Nm 281to block if run in the background, unless the standard input is directed away from the terminal. This is what the 282.Fl n 283option is for. 284.Pp 285The 286.Fl x 287options enables encryption for the session, but for both Kerberos 4 288and 5 the actual command is sent unencrypted, so you should not send 289any secret information in the command line (which is probably a bad 290idea anyway, since the command line can usually be read with tools 291like 292.Xr ps 1 ) . 293Furthermore in Kerberos 4 the command is not even integrity 294protected, so anyone with the right tools can modify the command. 295