| blob | b5e96637e9d58d4e4a58e830a81e0c52e8de4eb3 |
1 .\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan
2 .\" (Royal Institute of Technology, Stockholm, Sweden).
3 .\" All rights reserved.
4 .\"
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
7 .\" are met:
8 .\"
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\"
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
15 .\"
16 .\" 3. Neither the name of the Institute nor the names of its contributors
17 .\" may be used to endorse or promote products derived from this software
18 .\" without specific prior written permission.
19 .\"
20 .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 .\" SUCH DAMAGE.
31 .\"
32 .\" $Id$
33 .\"
34 .Dd February 20, 2004
35 .Dt RSH 1
36 .Os HEIMDAL
37 .Sh NAME
38 .Nm rsh
39 .Nd
40 remote shell
41 .Sh SYNOPSIS
42 .Nm
43 .Op Fl 45FGKdefnuxz
44 .Op Fl U Pa string
45 .Op Fl p Ar port
46 .Op Fl l Ar username
47 .Op Fl P Ar N|O
48 .Ar host [command]
49 .Sh DESCRIPTION
50 .Nm
51 authenticates to the
52 .Xr rshd 8
53 daemon on the remote
54 .Ar host ,
55 and then executes the specified
56 .Ar command .
57 .Pp
58 .Nm
59 copies its standard input to the remote command, and the standard
60 output and error of the remote command to its own.
61 .Pp
62 Valid options are:
63 .Bl -tag -width Ds
64 .It Xo
65 .Fl 4 ,
66 .Fl -krb4
67 .Xc
68 The
69 .Fl 4
70 option requests Kerberos 4 authentication. Normally all supported
71 authentication mechanisms will be tried, but in some cases more
72 explicit control is desired.
73 .It Xo
74 .Fl 5 ,
75 .Fl -krb5
76 .Xc
77 The
78 .Fl 5
79 option requests Kerberos 5 authentication. This is analogous to the
80 .Fl 4
81 option.
82 .It Xo
83 .Fl K ,
84 .Fl -broken
85 .Xc
86 The
87 .Fl K
88 option turns off all Kerberos authentication. The security in this
89 mode relies on reserved ports. The long name is an indication of how
90 good this is.
91 .It Xo
92 .Fl n ,
93 .Fl -no-input
94 .Xc
95 The
96 .Fl n
97 option directs the input from the
98 .Pa /dev/null
99 device (see the
100 .Sx BUGS
101 section of this manual page).
102 .It Fl d
103 Enable
104 .Xr setsockopt 2
105 socket debugging.
106 .It Xo
107 .Fl e ,
108 .Fl -no-stderr
109 .Xc
110 Don't use a separate socket for the stderr stream. This can be
111 necessary if rsh-ing through a NAT bridge.
112 .It Xo
113 .Fl x ,
114 .Fl -encrypt
115 .Xc
116 The
117 .Fl x
118 option enables encryption for all data exchange. This is only valid
119 for Kerberos authenticated connections (see the
120 .Sx BUGS
121 section for limitations).
122 .It Xo
123 .Fl z
124 .Xc
125 The opposite of
126 .Fl x .
127 This is the default, and is mainly useful if encryption has been
128 enabled by default, for instance in the
129 .Li appdefaults
130 section of
131 .Pa /etc/krb5.conf
132 when using Kerberos 5.
133 .It Xo
134 .Fl f ,
135 .Fl -forward
136 .Xc
137 Forward Kerberos 5 credentials to the remote host.
138 Also settable via
139 .Li appdefaults
140 (see
141 .Xr krb5.conf ) .
142 .It Xo
143 .Fl F ,
144 .Fl -forwardable
145 .Xc
146 Make the forwarded credentials re-forwardable.
147 Also settable via
148 .Li appdefaults
149 (see
150 .Xr krb5.conf ) .
151 .It Xo
152 .Fl l Ar string ,
153 .Fl -user= Ns Ar string
154 .Xc
155 By default the remote username is the same as the local. The
156 .Fl l
157 option or the
158 .Pa username@host
159 format allow the remote name to be specified.
160 .It Xo
161 .Fl n ,
162 .Fl -no-input
163 .Xc
164 Direct input from
165 .Pa /dev/null
166 (see the
167 .Sx BUGS
168 section).
169 .It Xo
170 .Fl p Ar number-or-service ,
171 .Fl -port= Ns Ar number-or-service
172 .Xc
173 Connect to this port instead of the default (which is 514 when using
174 old port based authentication, 544 for Kerberos 5 and non-encrypted
175 Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
176 the contents of
177 .Pa /etc/services ) .
178 .It Xo
179 .Fl P Ar N|O|1|2 ,
180 .Fl -protocol= Ns Ar N|O|1|2
181 .Xc
182 Specifies the protocol version to use with Kerberos 5.
183 .Ar N
184 and
185 .Ar 2
186 select protocol version 2, while
187 .Ar O
188 and
189 .Ar 1
190 select version 1. Version 2 is believed to be more secure, and is the
191 default. Unless asked for a specific version,
192 .Nm
193 will try both. This behaviour may change in the future.
194 .It Xo
195 .Fl u ,
196 .Fl -unique
197 .Xc
198 Make sure the remote credentials cache is unique, that is, don't reuse
199 any existing cache. Mutually exclusive to
200 .Fl U .
201 .It Xo
202 .Fl U Pa string ,
203 .Fl -tkfile= Ns Pa string
204 .Xc
205 Name of the remote credentials cache. Mutually exclusive to
206 .Fl u .
207 .It Xo
208 .Fl x ,
209 .Fl -encrypt
210 .Xc
211 The
212 .Fl x
213 option enables encryption for all data exchange. This is only valid
214 for Kerberos authenticated connections (see the
215 .Sx BUGS
216 section for limitations).
217 .It Fl z
218 The opposite of
219 .Fl x .
220 This is the default, but encryption can be enabled when using
221 Kerberos 5, by setting the
222 .Li libdefaults/encrypt
223 option in
224 .Xr krb5.conf 5 .
225 .El
226 .\".Pp
227 .\"Without a
228 .\".Ar command
229 .\".Nm
230 .\"will just exec
231 .\".Xr rlogin 1
232 .\"with the same arguments.
233 .Sh EXAMPLES
234 Care should be taken when issuing commands containing shell meta
235 characters. Without quoting, these will be expanded on the local
236 machine.
237 .Pp
238 The following command:
239 .Pp
240 .Dl rsh otherhost cat remotefile \*[Gt] localfile
241 .Pp
242 will write the contents of the remote
243 .Pa remotefile
244 to the local
245 .Pa localfile ,
246 but:
247 .Pp
248 .Dl rsh otherhost 'cat remotefile \*[Gt] remotefile2'
249 .Pp
250 will write it to the remote
251 .Pa remotefile2 .
252 .\".Sh ENVIRONMENT
253 .Sh FILES
254 .Bl -tag -width /etc/hosts -compact
255 .It Pa /etc/hosts
256 .El
257 .\".Sh DIAGNOSTICS
258 .Sh SEE ALSO
259 .Xr rlogin 1 ,
260 .Xr krb_realmofhost 3 ,
261 .Xr krb_sendauth 3 ,
262 .Xr hosts.equiv 5 ,
263 .Xr krb5.conf 5 ,
264 .Xr rhosts 5 ,
265 .Xr kerberos 8
266 .Xr rshd 8
267 .\".Sh STANDARDS
268 .Sh HISTORY
269 The
270 .Nm
271 command appeared in
272 .Bx 4.2 .
273 .Sh AUTHORS
274 This implementation of
275 .Nm
276 was written as part of the Heimdal Kerberos 5 implementation.
277 .Sh BUGS
278 Some shells (notably
279 .Xr csh 1 )
280 will cause
281 .Nm
282 to block if run in the background, unless the standard input is directed away from the terminal. This is what the
283 .Fl n
284 option is for.
285 .Pp
286 The
287 .Fl x
288 options enables encryption for the session, but for both Kerberos 4
289 and 5 the actual command is sent unencrypted, so you should not send
290 any secret information in the command line (which is probably a bad
291 idea anyway, since the command line can usually be read with tools
292 like
293 .Xr ps 1 ) .
294 Forthermore in Kerberos 4 the command is not even integrity
295 protected, so anyone with the right tools can modify the command.