1.\" $Id: rsh.1,v 1.1 2001/07/31 08:13:41 joda Exp $ 2.\" 3.Dd July 31, 2001 4.Dt RSH 1 5.Os HEIMDAL 6.Sh NAME 7.Nm rsh 8.Nd 9remote shell 10.Sh SYNOPSIS 11.Nm 12.Op Fl 45FGKdefnuxz 13.Op Fl U Pa string 14.Op Fl p Ar port 15.Op Fl l Ar username 16.Ar host [command] 17.Sh DESCRIPTION 18.Nm 19authenticates to the 20.Xr rshd 8 21daemon on the remote 22.Ar host , 23and then executes the specified 24.Ar command . 25.Pp 26.Nm 27copies its standard input to the remote command, and the standard 28output and error of the remote command to its own. 29.Pp 30Valid options are: 31.Bl -tag -width Ds 32.It Xo 33.Fl 4 Ns , 34.Fl -krb4 35.Xc 36The 37.Fl 4 38option requests Kerberos 4 authentication. Normally all supported 39authentication mechanisms will be tried, but in some cases more 40explicit control is desired. 41.It Xo 42.Fl 5 Ns , 43.Fl -krb5 44.Xc 45The 46.Fl 5 47option requests Kerberos 5 authentication. This is analogous to the 48.Fl 4 49option. 50.It Xo 51.Fl K Ns , 52.Fl -broken 53.Xc 54The 55.Fl K 56option turns off all Kerberos authentication. The long name implies 57that this is more or less totally unsecure. The security in this mode 58relies on reserved ports, which is not very secure. 59.It Xo 60.Fl n Ns , 61.Fl -no-input 62.Xc 63The 64.Fl n 65option directs the input from the 66.Pa /dev/null 67device (see the 68.Sx BUGS 69section of this manual page). 70.It Xo 71.Fl e Ns , 72.Fl -no-stderr 73.Xc 74Don't use a separate socket for the stderr stream. This can be 75necessary if rsh-ing through a NAT bridge. 76.It Xo 77.Fl x Ns , 78.Fl -encrypt 79.Xc 80The 81.Fl x 82option enables encryption for all data exchange. This is only valid 83for Kerberos authenticated connections (see the 84.Sx BUGS 85section for limitations). 86.It Xo 87.Fl z 88.Xc 89The opposite of 90.Fl x . 91This is the default, but encryption can be enabled when using 92Kerberos 5, by setting the 93.Li libdefaults/encrypt 94option in 95.Xr krb5.conf 5 . 96.It Xo 97.Fl f Ns , 98.Fl -forward 99.Xc 100Forward Kerberos 5 credentials to the remote host. Also controlled by 101.Li libdefaults/forward 102in 103.Xr krb5.conf 5 . 104.It Xo 105.Fl G 106.Xc 107The opposite of 108.Fl f . 109.It Xo 110.Fl F Ns , 111.Fl -forwardable 112.Xc 113Make the forwarded credentials re-forwardable. Also controlled by 114.Li libdefaults/forwardable 115in 116.Xr krb5.conf 5 . 117.It Xo 118.Fl u Ns , 119.Fl -unique 120.Xc 121Make sure the remote credentials cache is unique, that is, don't reuse 122any existing cache. Mutually exclusive to 123.Fl U . 124.It Xo 125.Fl U Pa string Ns , 126.Fl -tkfile= Ns Pa string 127.Xc 128Name of the remote credentials cache. Mutually exclusive to 129.Fl u . 130.It Xo 131.Fl p Ar number-or-service Ns , 132.Fl -port= Ns Ar number-or-service 133.Xc 134Connect to this port instead of the default (which is 514 when using 135old port based authentication, 544 for Kerberos 5 and non-encrypted 136Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to 137the contents of 138.Pa /etc/services ) . 139.It Xo 140.Fl l Ar string Ns , 141.Fl -user= Ns Ar string 142.Xc 143By default the remote username is the same as the local. The 144.Fl l 145option or the 146.Pa username@host 147format allow the remote name to be specified. 148.El 149.\".Pp 150.\"Without a 151.\".Ar command 152.\".Nm 153.\"will just exec 154.\".Xr rlogin 1 155.\"with the same arguments. 156.Sh EXAMPLES 157Care should be taken when issuing commands containing shell meta 158characters. Without quoting these will be expanded on the local 159machine. 160.Pp 161The following command: 162.Pp 163.Dl rsh otherhost cat remotefile > localfile 164.Pp 165will write the contents of the remote 166.Pa remotefile 167to the local 168.Pa localfile , 169but: 170.Pp 171.Dl rsh otherhost 'cat remotefile > remotefile2' 172.Pp 173will write it to the remote 174.Pa remotefile2 . 175.\".Sh ENVIRONMENT 176.Sh FILES 177.Bl -tag -width /etc/hosts -compact 178.It Pa /etc/hosts 179.El 180.\".Sh DIAGNOSTICS 181.Sh SEE ALSO 182.Xr rlogin 1 , 183.Xr krb_realmofhost 3 , 184.Xr krb_sendauth 3 , 185.Xr hosts.equiv 5 , 186.Xr krb5.conf 5 , 187.Xr rhosts 5 , 188.Xr kerberos 8 189.Xr rshd 8 190.\".Sh STANDARDS 191.Sh HISTORY 192The 193.Nm 194command appeared in 195.Bx 4.2 . 196.Sh AUTHORS 197This implementation of 198.Nm 199was written as part of the Heimdal Kerberos 5 implementation. 200.Sh BUGS 201Some shells (notably 202.Xr csh 1 ) 203will cause 204.Nm 205to block if run in the background, unless the standard input is directed away from the terminal. This is what the 206.Fl n 207option is for. 208.Pp 209The 210.Fl x 211options enables encryption for the session, but for both Kerberos 4 212and 5 the actual command is sent unencrypted, so you should not send 213any secret information in the command line (which is probably a bad 214idea anyway, since the command line can usually be read with tools 215like 216.Xr ps 1 ) . 217Forthermore in Kerberos 4 the command is not even integrity 218protected, so anyone with the right tools can modify the command. 219