| blob | 5825adf982a16d1cfa1c29c2dd78d134fe23cb8d |
1 .\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan
2 .\" (Royal Institute of Technology, Stockholm, Sweden).
3 .\" All rights reserved.
4 .\"
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
7 .\" are met:
8 .\"
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\"
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
15 .\"
16 .\" 3. Neither the name of the Institute nor the names of its contributors
17 .\" may be used to endorse or promote products derived from this software
18 .\" without specific prior written permission.
19 .\"
20 .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 .\" SUCH DAMAGE.
31 .\"
32 .\" $Id$
33 .\"
34 .Dd February 20, 2004
35 .Dt RSH 1
36 .Os HEIMDAL
37 .Sh NAME
38 .Nm rsh
39 .Nd remote shell
40 .Sh SYNOPSIS
41 .Nm
42 .Op Fl 45FGKdefnuxz
43 .Op Fl U Pa string
44 .Op Fl p Ar port
45 .Op Fl l Ar username
46 .Op Fl P Ar N|O
47 .Ar host [command]
48 .Sh DESCRIPTION
49 .Nm
50 authenticates to the
51 .Xr rshd 8
52 daemon on the remote
53 .Ar host ,
54 and then executes the specified
55 .Ar command .
56 .Pp
57 .Nm
58 copies its standard input to the remote command, and the standard
59 output and error of the remote command to its own.
60 .Pp
61 Valid options are:
62 .Bl -tag -width Ds
63 .It Xo
64 .Fl 4 ,
65 .Fl Fl krb4
66 .Xc
67 The
68 .Fl 4
69 option requests Kerberos 4 authentication. Normally all supported
70 authentication mechanisms will be tried, but in some cases more
71 explicit control is desired.
72 .It Xo
73 .Fl 5 ,
74 .Fl Fl krb5
75 .Xc
76 The
77 .Fl 5
78 option requests Kerberos 5 authentication. This is analogous to the
79 .Fl 4
80 option.
81 .It Xo
82 .Fl K ,
83 .Fl Fl broken
84 .Xc
85 The
86 .Fl K
87 option turns off all Kerberos authentication. The security in this
88 mode relies on reserved ports. The long name is an indication of how
89 good this is.
90 .It Xo
91 .Fl n ,
92 .Fl Fl no-input
93 .Xc
94 The
95 .Fl n
96 option directs the input from the
97 .Pa /dev/null
98 device (see the
99 .Sx BUGS
100 section of this manual page).
101 .It Fl d
102 Enable
103 .Xr setsockopt 2
104 socket debugging.
105 .It Xo
106 .Fl e ,
107 .Fl Fl no-stderr
108 .Xc
109 Don't use a separate socket for the stderr stream. This can be
110 necessary if rsh-ing through a NAT bridge.
111 .It Xo
112 .Fl x ,
113 .Fl Fl encrypt
114 .Xc
115 The
116 .Fl x
117 option enables encryption for all data exchange. This is only valid
118 for Kerberos authenticated connections (see the
119 .Sx BUGS
120 section for limitations).
121 .It Xo
122 .Fl z
123 .Xc
124 The opposite of
125 .Fl x .
126 This is the default, and is mainly useful if encryption has been
127 enabled by default, for instance in the
128 .Li appdefaults
129 section of
130 .Pa /etc/krb5.conf
131 when using Kerberos 5.
132 .It Xo
133 .Fl f ,
134 .Fl Fl forward
135 .Xc
136 Forward Kerberos 5 credentials to the remote host.
137 Also settable via
138 .Li appdefaults
139 (see
140 .Xr krb5.conf ) .
141 .It Xo
142 .Fl F ,
143 .Fl Fl forwardable
144 .Xc
145 Make the forwarded credentials re-forwardable.
146 Also settable via
147 .Li appdefaults
148 (see
149 .Xr krb5.conf ) .
150 .It Xo
151 .Fl l Ar string ,
152 .Fl Fl user= Ns Ar string
153 .Xc
154 By default the remote username is the same as the local. The
155 .Fl l
156 option or the
157 .Pa username@host
158 format allow the remote name to be specified.
159 .It Xo
160 .Fl n ,
161 .Fl Fl no-input
162 .Xc
163 Direct input from
164 .Pa /dev/null
165 (see the
166 .Sx BUGS
167 section).
168 .It Xo
169 .Fl p Ar number-or-service ,
170 .Fl Fl port= Ns Ar number-or-service
171 .Xc
172 Connect to this port instead of the default (which is 514 when using
173 old port based authentication, 544 for Kerberos 5 and non-encrypted
174 Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
175 the contents of
176 .Pa /etc/services ) .
177 .It Xo
178 .Fl P Ar N|O|1|2 ,
179 .Fl Fl protocol= Ns Ar N|O|1|2
180 .Xc
181 Specifies the protocol version to use with Kerberos 5.
182 .Ar N
183 and
184 .Ar 2
185 select protocol version 2, while
186 .Ar O
187 and
188 .Ar 1
189 select version 1. Version 2 is believed to be more secure, and is the
190 default. Unless asked for a specific version,
191 .Nm
192 will try both. This behaviour may change in the future.
193 .It Xo
194 .Fl u ,
195 .Fl Fl unique
196 .Xc
197 Make sure the remote credentials cache is unique, that is, don't reuse
198 any existing cache. Mutually exclusive to
199 .Fl U .
200 .It Xo
201 .Fl U Pa string ,
202 .Fl Fl tkfile= Ns Pa string
203 .Xc
204 Name of the remote credentials cache. Mutually exclusive to
205 .Fl u .
206 .It Xo
207 .Fl x ,
208 .Fl Fl encrypt
209 .Xc
210 The
211 .Fl x
212 option enables encryption for all data exchange. This is only valid
213 for Kerberos authenticated connections (see the
214 .Sx BUGS
215 section for limitations).
216 .It Fl z
217 The opposite of
218 .Fl x .
219 This is the default, but encryption can be enabled when using
220 Kerberos 5, by setting the
221 .Li libdefaults/encrypt
222 option in
223 .Xr krb5.conf 5 .
224 .El
225 .\".Pp
226 .\"Without a
227 .\".Ar command
228 .\".Nm
229 .\"will just exec
230 .\".Xr rlogin 1
231 .\"with the same arguments.
232 .Sh EXAMPLES
233 Care should be taken when issuing commands containing shell meta
234 characters. Without quoting, these will be expanded on the local
235 machine.
236 .Pp
237 The following command:
238 .Pp
239 .Dl rsh otherhost cat remotefile \*[Gt] localfile
240 .Pp
241 will write the contents of the remote
242 .Pa remotefile
243 to the local
244 .Pa localfile ,
245 but:
246 .Pp
247 .Dl rsh otherhost 'cat remotefile \*[Gt] remotefile2'
248 .Pp
249 will write it to the remote
250 .Pa remotefile2 .
251 .\".Sh ENVIRONMENT
252 .Sh FILES
253 .Bl -tag -width /etc/hosts -compact
254 .It Pa /etc/hosts
255 .El
256 .\".Sh DIAGNOSTICS
257 .Sh SEE ALSO
258 .Xr rlogin 1 ,
259 .Xr krb_realmofhost 3 ,
260 .Xr krb_sendauth 3 ,
261 .Xr hosts.equiv 5 ,
262 .Xr krb5.conf 5 ,
263 .Xr rhosts 5 ,
264 .Xr kerberos 8
265 .Xr rshd 8
266 .\".Sh STANDARDS
267 .Sh HISTORY
268 The
269 .Nm
270 command appeared in
271 .Bx 4.2 .
272 .Sh AUTHORS
273 This implementation of
274 .Nm
275 was written as part of the Heimdal Kerberos 5 implementation.
276 .Sh BUGS
277 Some shells (notably
278 .Xr csh 1 )
279 will cause
280 .Nm
281 to block if run in the background, unless the standard input is directed away from the terminal. This is what the
282 .Fl n
283 option is for.
284 .Pp
285 The
286 .Fl x
287 options enables encryption for the session, but for both Kerberos 4
288 and 5 the actual command is sent unencrypted, so you should not send
289 any secret information in the command line (which is probably a bad
290 idea anyway, since the command line can usually be read with tools
291 like
292 .Xr ps 1 ) .
293 Forthermore in Kerberos 4 the command is not even integrity
294 protected, so anyone with the right tools can modify the command.