1.\" Copyright (c) 2002 - 2003 Kungliga Tekniska H�gskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: rsh.1,v 1.6 2003/04/16 19:57:25 lha Exp $ 33.\" 34.Dd September 4, 2002 35.Dt RSH 1 36.Os HEIMDAL 37.Sh NAME 38.Nm rsh 39.Nd 40remote shell 41.Sh SYNOPSIS 42.Nm 43.Op Fl 45FGKdefnuxz 44.Op Fl U Pa string 45.Op Fl p Ar port 46.Op Fl l Ar username 47.Op Fl P Ar N|O 48.Ar host [command] 49.Sh DESCRIPTION 50.Nm 51authenticates to the 52.Xr rshd 8 53daemon on the remote 54.Ar host , 55and then executes the specified 56.Ar command . 57.Pp 58.Nm 59copies its standard input to the remote command, and the standard 60output and error of the remote command to its own. 61.Pp 62Valid options are: 63.Bl -tag -width Ds 64.It Xo 65.Fl 4 , 66.Fl -krb4 67.Xc 68The 69.Fl 4 70option requests Kerberos 4 authentication. Normally all supported 71authentication mechanisms will be tried, but in some cases more 72explicit control is desired. 73.It Xo 74.Fl 5 , 75.Fl -krb5 76.Xc 77The 78.Fl 5 79option requests Kerberos 5 authentication. This is analogous to the 80.Fl 4 81option. 82.It Xo 83.Fl K , 84.Fl -broken 85.Xc 86The 87.Fl K 88option turns off all Kerberos authentication. The long name implies 89that this is more or less totally unsecure. The security in this mode 90relies on reserved ports, which is not very secure. 91.It Xo 92.Fl n , 93.Fl -no-input 94.Xc 95The 96.Fl n 97option directs the input from the 98.Pa /dev/null 99device (see the 100.Sx BUGS 101section of this manual page). 102.It Xo 103.Fl e , 104.Fl -no-stderr 105.Xc 106Don't use a separate socket for the stderr stream. This can be 107necessary if rsh-ing through a NAT bridge. 108.It Xo 109.Fl x , 110.Fl -encrypt 111.Xc 112The 113.Fl x 114option enables encryption for all data exchange. This is only valid 115for Kerberos authenticated connections (see the 116.Sx BUGS 117section for limitations). 118.It Xo 119.Fl z 120.Xc 121The opposite of 122.Fl x . 123This is the default, but encryption can be enabled when using 124Kerberos 5, by setting the 125.Li libdefaults/encrypt 126option in 127.Xr krb5.conf 5 . 128.It Xo 129.Fl f , 130.Fl -forward 131.Xc 132Forward Kerberos 5 credentials to the remote host. Also controlled by 133.Li libdefaults/forward 134in 135.Xr krb5.conf 5 . 136.It Xo 137.Fl G 138.Xc 139The opposite of 140.Fl f . 141.It Xo 142.Fl F , 143.Fl -forwardable 144.Xc 145Make the forwarded credentials re-forwardable. Also controlled by 146.Li libdefaults/forwardable 147in 148.Xr krb5.conf 5 . 149.It Xo 150.Fl u , 151.Fl -unique 152.Xc 153Make sure the remote credentials cache is unique, that is, don't reuse 154any existing cache. Mutually exclusive to 155.Fl U . 156.It Xo 157.Fl U Pa string , 158.Fl -tkfile= Ns Pa string 159.Xc 160Name of the remote credentials cache. Mutually exclusive to 161.Fl u . 162.It Xo 163.Fl p Ar number-or-service , 164.Fl -port= Ns Ar number-or-service 165.Xc 166Connect to this port instead of the default (which is 514 when using 167old port based authentication, 544 for Kerberos 5 and non-encrypted 168Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to 169the contents of 170.Pa /etc/services ) . 171.It Xo 172.Fl l Ar string , 173.Fl -user= Ns Ar string 174.Xc 175By default the remote username is the same as the local. The 176.Fl l 177option or the 178.Pa username@host 179format allow the remote name to be specified. 180.It Xo 181.Fl P Ar N|O|1|2 , 182.Fl -protocol= Ns Ar N|O|1|2 183.Xc 184Specifies which protocol version to use with Kerberos 5. 185.Ar N 186and 187.Ar 2 188selects protocol version 2, while 189.Ar O 190and 191.Ar 1 192selects version 1. Version 2 is believed to be more secure, and is the 193default. Unless asked for a specific version, 194.Nm 195will try both. This behaviour may change in the future. 196.El 197.\".Pp 198.\"Without a 199.\".Ar command 200.\".Nm 201.\"will just exec 202.\".Xr rlogin 1 203.\"with the same arguments. 204.Sh EXAMPLES 205Care should be taken when issuing commands containing shell meta 206characters. Without quoting, these will be expanded on the local 207machine. 208.Pp 209The following command: 210.Pp 211.Dl rsh otherhost cat remotefile > localfile 212.Pp 213will write the contents of the remote 214.Pa remotefile 215to the local 216.Pa localfile , 217but: 218.Pp 219.Dl rsh otherhost 'cat remotefile > remotefile2' 220.Pp 221will write it to the remote 222.Pa remotefile2 . 223.\".Sh ENVIRONMENT 224.Sh FILES 225.Bl -tag -width /etc/hosts -compact 226.It Pa /etc/hosts 227.El 228.\".Sh DIAGNOSTICS 229.Sh SEE ALSO 230.Xr rlogin 1 , 231.Xr krb_realmofhost 3 , 232.Xr krb_sendauth 3 , 233.Xr hosts.equiv 5 , 234.Xr krb5.conf 5 , 235.Xr rhosts 5 , 236.Xr kerberos 8 237.Xr rshd 8 238.\".Sh STANDARDS 239.Sh HISTORY 240The 241.Nm 242command appeared in 243.Bx 4.2 . 244.Sh AUTHORS 245This implementation of 246.Nm 247was written as part of the Heimdal Kerberos 5 implementation. 248.Sh BUGS 249Some shells (notably 250.Xr csh 1 ) 251will cause 252.Nm 253to block if run in the background, unless the standard input is directed away from the terminal. This is what the 254.Fl n 255option is for. 256.Pp 257The 258.Fl x 259options enables encryption for the session, but for both Kerberos 4 260and 5 the actual command is sent unencrypted, so you should not send 261any secret information in the command line (which is probably a bad 262idea anyway, since the command line can usually be read with tools 263like 264.Xr ps 1 ) . 265Forthermore in Kerberos 4 the command is not even integrity 266protected, so anyone with the right tools can modify the command. 267