xref: /freebsd/crypto/heimdal/appl/rsh/rsh.1 (revision f7c4bd95ba735bd6a5454b4953945a99cefbb80c)
1.\" Copyright (c) 2002 - 2003 Kungliga Tekniska H�gskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\"	$Id: rsh.1 13394 2004-02-20 12:21:42Z joda $
33.\"
34.Dd February 20, 2004
35.Dt RSH 1
36.Os HEIMDAL
37.Sh NAME
38.Nm rsh
39.Nd
40remote shell
41.Sh SYNOPSIS
42.Nm
43.Op Fl 45FGKdefnuxz
44.Op Fl U Pa string
45.Op Fl p Ar port
46.Op Fl l Ar username
47.Op Fl P Ar N|O
48.Ar host [command]
49.Sh DESCRIPTION
50.Nm
51authenticates to the
52.Xr rshd 8
53daemon on the remote
54.Ar host ,
55and then executes the specified
56.Ar command .
57.Pp
58.Nm
59copies its standard input to the remote command, and the standard
60output and error of the remote command to its own.
61.Pp
62Valid options are:
63.Bl -tag -width Ds
64.It Xo
65.Fl 4 ,
66.Fl -krb4
67.Xc
68The
69.Fl 4
70option requests Kerberos 4 authentication. Normally all supported
71authentication mechanisms will be tried, but in some cases more
72explicit control is desired.
73.It Xo
74.Fl 5 ,
75.Fl -krb5
76.Xc
77The
78.Fl 5
79option requests Kerberos 5 authentication. This is analogous to the
80.Fl 4
81option.
82.It Xo
83.Fl K ,
84.Fl -broken
85.Xc
86The
87.Fl K
88option turns off all Kerberos authentication. The security in this
89mode relies on reserved ports. The long name is an indication of how
90good this is.
91.It Xo
92.Fl n ,
93.Fl -no-input
94.Xc
95The
96.Fl n
97option directs the input from the
98.Pa /dev/null
99device (see the
100.Sx BUGS
101section of this manual page).
102.It Fl d
103Enable
104.Xr setsockopt 2
105socket debugging.
106.It Xo
107.Fl e ,
108.Fl -no-stderr
109.Xc
110Don't use a separate socket for the stderr stream. This can be
111necessary if rsh-ing through a NAT bridge.
112.It Xo
113.Fl x ,
114.Fl -encrypt
115.Xc
116The
117.Fl x
118option enables encryption for all data exchange. This is only valid
119for Kerberos authenticated connections (see the
120.Sx BUGS
121section for limitations).
122.It Xo
123.Fl z
124.Xc
125The opposite of
126.Fl x .
127This is the default, and is mainly useful if encryption has been
128enabled by default, for instance in the
129.Li appdefaults
130section of
131.Pa /etc/krb5.conf
132when using Kerberos 5.
133.It Xo
134.Fl f ,
135.Fl -forward
136.Xc
137Forward Kerberos 5 credentials to the remote host.
138Also settable via
139.Li appdefaults
140(see
141.Xr krb5.conf ) .
142.It Xo
143.Fl F ,
144.Fl -forwardable
145.Xc
146Make the forwarded credentials re-forwardable.
147Also settable via
148.Li appdefaults
149(see
150.Xr krb5.conf ) .
151.It Xo
152.Fl l Ar string ,
153.Fl -user= Ns Ar string
154.Xc
155By default the remote username is the same as the local. The
156.Fl l
157option or the
158.Pa username@host
159format allow the remote name to be specified.
160.It Xo
161.Fl n ,
162.Fl -no-input
163.Xc
164Direct input from
165.Pa /dev/null
166(see the
167.Sx BUGS
168section).
169.It Xo
170.Fl p Ar number-or-service ,
171.Fl -port= Ns Ar number-or-service
172.Xc
173Connect to this port instead of the default (which is 514 when using
174old port based authentication, 544 for Kerberos 5 and non-encrypted
175Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
176the contents of
177.Pa /etc/services ) .
178.It Xo
179.Fl P Ar N|O|1|2 ,
180.Fl -protocol= Ns Ar N|O|1|2
181.Xc
182Specifies the protocol version to use with Kerberos 5.
183.Ar N
184and
185.Ar 2
186select protocol version 2, while
187.Ar O
188and
189.Ar 1
190select version 1. Version 2 is believed to be more secure, and is the
191default. Unless asked for a specific version,
192.Nm
193will try both.  This behaviour may change in the future.
194.It Xo
195.Fl u ,
196.Fl -unique
197.Xc
198Make sure the remote credentials cache is unique, that is, don't reuse
199any existing cache. Mutually exclusive to
200.Fl U .
201.It Xo
202.Fl U Pa string ,
203.Fl -tkfile= Ns Pa string
204.Xc
205Name of the remote credentials cache. Mutually exclusive to
206.Fl u .
207.It Xo
208.Fl x ,
209.Fl -encrypt
210.Xc
211The
212.Fl x
213option enables encryption for all data exchange. This is only valid
214for Kerberos authenticated connections (see the
215.Sx BUGS
216section for limitations).
217.It Fl z
218The opposite of
219.Fl x .
220This is the default, but encryption can be enabled when using
221Kerberos 5, by setting the
222.Li libdefaults/encrypt
223option in
224.Xr krb5.conf 5 .
225.El
226.\".Pp
227.\"Without a
228.\".Ar command
229.\".Nm
230.\"will just exec
231.\".Xr rlogin 1
232.\"with the same arguments.
233.Sh EXAMPLES
234Care should be taken when issuing commands containing shell meta
235characters. Without quoting, these will be expanded on the local
236machine.
237.Pp
238The following command:
239.Pp
240.Dl rsh otherhost cat remotefile \*[Gt] localfile
241.Pp
242will write the contents of the remote
243.Pa remotefile
244to the local
245.Pa localfile ,
246but:
247.Pp
248.Dl rsh otherhost 'cat remotefile \*[Gt] remotefile2'
249.Pp
250will write it to the remote
251.Pa remotefile2 .
252.\".Sh ENVIRONMENT
253.Sh FILES
254.Bl -tag -width /etc/hosts -compact
255.It Pa /etc/hosts
256.El
257.\".Sh DIAGNOSTICS
258.Sh SEE ALSO
259.Xr rlogin 1 ,
260.Xr krb_realmofhost 3 ,
261.Xr krb_sendauth 3 ,
262.Xr hosts.equiv 5 ,
263.Xr krb5.conf 5 ,
264.Xr rhosts 5 ,
265.Xr kerberos 8
266.Xr rshd 8
267.\".Sh STANDARDS
268.Sh HISTORY
269The
270.Nm
271command appeared in
272.Bx 4.2 .
273.Sh AUTHORS
274This implementation of
275.Nm
276was written as part of the Heimdal Kerberos 5 implementation.
277.Sh BUGS
278Some shells (notably
279.Xr csh 1 )
280will cause
281.Nm
282to block if run in the background, unless the standard input is directed away from the terminal. This is what the
283.Fl n
284option is for.
285.Pp
286The
287.Fl x
288options enables encryption for the session, but for both Kerberos 4
289and 5 the actual command is sent unencrypted, so you should not send
290any secret information in the command line (which is probably a bad
291idea anyway, since the command line can usually be read with tools
292like
293.Xr ps 1 ) .
294Forthermore in Kerberos 4 the command is not even integrity
295protected, so anyone with the right tools can modify the command.
296