1.\" Copyright (c) 2002 - 2003 Kungliga Tekniska H�gskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: rsh.1 13394 2004-02-20 12:21:42Z joda $ 33.\" 34.Dd February 20, 2004 35.Dt RSH 1 36.Os HEIMDAL 37.Sh NAME 38.Nm rsh 39.Nd 40remote shell 41.Sh SYNOPSIS 42.Nm 43.Op Fl 45FGKdefnuxz 44.Op Fl U Pa string 45.Op Fl p Ar port 46.Op Fl l Ar username 47.Op Fl P Ar N|O 48.Ar host [command] 49.Sh DESCRIPTION 50.Nm 51authenticates to the 52.Xr rshd 8 53daemon on the remote 54.Ar host , 55and then executes the specified 56.Ar command . 57.Pp 58.Nm 59copies its standard input to the remote command, and the standard 60output and error of the remote command to its own. 61.Pp 62Valid options are: 63.Bl -tag -width Ds 64.It Xo 65.Fl 4 , 66.Fl -krb4 67.Xc 68The 69.Fl 4 70option requests Kerberos 4 authentication. Normally all supported 71authentication mechanisms will be tried, but in some cases more 72explicit control is desired. 73.It Xo 74.Fl 5 , 75.Fl -krb5 76.Xc 77The 78.Fl 5 79option requests Kerberos 5 authentication. This is analogous to the 80.Fl 4 81option. 82.It Xo 83.Fl K , 84.Fl -broken 85.Xc 86The 87.Fl K 88option turns off all Kerberos authentication. The security in this 89mode relies on reserved ports. The long name is an indication of how 90good this is. 91.It Xo 92.Fl n , 93.Fl -no-input 94.Xc 95The 96.Fl n 97option directs the input from the 98.Pa /dev/null 99device (see the 100.Sx BUGS 101section of this manual page). 102.It Fl d 103Enable 104.Xr setsockopt 2 105socket debugging. 106.It Xo 107.Fl e , 108.Fl -no-stderr 109.Xc 110Don't use a separate socket for the stderr stream. This can be 111necessary if rsh-ing through a NAT bridge. 112.It Xo 113.Fl x , 114.Fl -encrypt 115.Xc 116The 117.Fl x 118option enables encryption for all data exchange. This is only valid 119for Kerberos authenticated connections (see the 120.Sx BUGS 121section for limitations). 122.It Xo 123.Fl z 124.Xc 125The opposite of 126.Fl x . 127This is the default, and is mainly useful if encryption has been 128enabled by default, for instance in the 129.Li appdefaults 130section of 131.Pa /etc/krb5.conf 132when using Kerberos 5. 133.It Xo 134.Fl f , 135.Fl -forward 136.Xc 137Forward Kerberos 5 credentials to the remote host. 138Also settable via 139.Li appdefaults 140(see 141.Xr krb5.conf ) . 142.It Xo 143.Fl F , 144.Fl -forwardable 145.Xc 146Make the forwarded credentials re-forwardable. 147Also settable via 148.Li appdefaults 149(see 150.Xr krb5.conf ) . 151.It Xo 152.Fl l Ar string , 153.Fl -user= Ns Ar string 154.Xc 155By default the remote username is the same as the local. The 156.Fl l 157option or the 158.Pa username@host 159format allow the remote name to be specified. 160.It Xo 161.Fl n , 162.Fl -no-input 163.Xc 164Direct input from 165.Pa /dev/null 166(see the 167.Sx BUGS 168section). 169.It Xo 170.Fl p Ar number-or-service , 171.Fl -port= Ns Ar number-or-service 172.Xc 173Connect to this port instead of the default (which is 514 when using 174old port based authentication, 544 for Kerberos 5 and non-encrypted 175Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to 176the contents of 177.Pa /etc/services ) . 178.It Xo 179.Fl P Ar N|O|1|2 , 180.Fl -protocol= Ns Ar N|O|1|2 181.Xc 182Specifies the protocol version to use with Kerberos 5. 183.Ar N 184and 185.Ar 2 186select protocol version 2, while 187.Ar O 188and 189.Ar 1 190select version 1. Version 2 is believed to be more secure, and is the 191default. Unless asked for a specific version, 192.Nm 193will try both. This behaviour may change in the future. 194.It Xo 195.Fl u , 196.Fl -unique 197.Xc 198Make sure the remote credentials cache is unique, that is, don't reuse 199any existing cache. Mutually exclusive to 200.Fl U . 201.It Xo 202.Fl U Pa string , 203.Fl -tkfile= Ns Pa string 204.Xc 205Name of the remote credentials cache. Mutually exclusive to 206.Fl u . 207.It Xo 208.Fl x , 209.Fl -encrypt 210.Xc 211The 212.Fl x 213option enables encryption for all data exchange. This is only valid 214for Kerberos authenticated connections (see the 215.Sx BUGS 216section for limitations). 217.It Fl z 218The opposite of 219.Fl x . 220This is the default, but encryption can be enabled when using 221Kerberos 5, by setting the 222.Li libdefaults/encrypt 223option in 224.Xr krb5.conf 5 . 225.El 226.\".Pp 227.\"Without a 228.\".Ar command 229.\".Nm 230.\"will just exec 231.\".Xr rlogin 1 232.\"with the same arguments. 233.Sh EXAMPLES 234Care should be taken when issuing commands containing shell meta 235characters. Without quoting, these will be expanded on the local 236machine. 237.Pp 238The following command: 239.Pp 240.Dl rsh otherhost cat remotefile \*[Gt] localfile 241.Pp 242will write the contents of the remote 243.Pa remotefile 244to the local 245.Pa localfile , 246but: 247.Pp 248.Dl rsh otherhost 'cat remotefile \*[Gt] remotefile2' 249.Pp 250will write it to the remote 251.Pa remotefile2 . 252.\".Sh ENVIRONMENT 253.Sh FILES 254.Bl -tag -width /etc/hosts -compact 255.It Pa /etc/hosts 256.El 257.\".Sh DIAGNOSTICS 258.Sh SEE ALSO 259.Xr rlogin 1 , 260.Xr krb_realmofhost 3 , 261.Xr krb_sendauth 3 , 262.Xr hosts.equiv 5 , 263.Xr krb5.conf 5 , 264.Xr rhosts 5 , 265.Xr kerberos 8 266.Xr rshd 8 267.\".Sh STANDARDS 268.Sh HISTORY 269The 270.Nm 271command appeared in 272.Bx 4.2 . 273.Sh AUTHORS 274This implementation of 275.Nm 276was written as part of the Heimdal Kerberos 5 implementation. 277.Sh BUGS 278Some shells (notably 279.Xr csh 1 ) 280will cause 281.Nm 282to block if run in the background, unless the standard input is directed away from the terminal. This is what the 283.Fl n 284option is for. 285.Pp 286The 287.Fl x 288options enables encryption for the session, but for both Kerberos 4 289and 5 the actual command is sent unencrypted, so you should not send 290any secret information in the command line (which is probably a bad 291idea anyway, since the command line can usually be read with tools 292like 293.Xr ps 1 ) . 294Forthermore in Kerberos 4 the command is not even integrity 295protected, so anyone with the right tools can modify the command. 296