236 lines
4.7 KiB
Groff
236 lines
4.7 KiB
Groff
.\" $Id: rsh.1,v 1.4 2002/09/04 13:01:52 joda Exp $
|
|
.\"
|
|
.Dd September 4, 2002
|
|
.Dt RSH 1
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm rsh
|
|
.Nd
|
|
remote shell
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl 45FGKdefnuxz
|
|
.Op Fl U Pa string
|
|
.Op Fl p Ar port
|
|
.Op Fl l Ar username
|
|
.Op Fl P Ar N|O
|
|
.Ar host [command]
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
authenticates to the
|
|
.Xr rshd 8
|
|
daemon on the remote
|
|
.Ar host ,
|
|
and then executes the specified
|
|
.Ar command .
|
|
.Pp
|
|
.Nm
|
|
copies its standard input to the remote command, and the standard
|
|
output and error of the remote command to its own.
|
|
.Pp
|
|
Valid options are:
|
|
.Bl -tag -width Ds
|
|
.It Xo
|
|
.Fl 4 ,
|
|
.Fl -krb4
|
|
.Xc
|
|
The
|
|
.Fl 4
|
|
option requests Kerberos 4 authentication. Normally all supported
|
|
authentication mechanisms will be tried, but in some cases more
|
|
explicit control is desired.
|
|
.It Xo
|
|
.Fl 5 ,
|
|
.Fl -krb5
|
|
.Xc
|
|
The
|
|
.Fl 5
|
|
option requests Kerberos 5 authentication. This is analogous to the
|
|
.Fl 4
|
|
option.
|
|
.It Xo
|
|
.Fl K ,
|
|
.Fl -broken
|
|
.Xc
|
|
The
|
|
.Fl K
|
|
option turns off all Kerberos authentication. The long name implies
|
|
that this is more or less totally unsecure. The security in this mode
|
|
relies on reserved ports, which is not very secure.
|
|
.It Xo
|
|
.Fl n ,
|
|
.Fl -no-input
|
|
.Xc
|
|
The
|
|
.Fl n
|
|
option directs the input from the
|
|
.Pa /dev/null
|
|
device (see the
|
|
.Sx BUGS
|
|
section of this manual page).
|
|
.It Xo
|
|
.Fl e ,
|
|
.Fl -no-stderr
|
|
.Xc
|
|
Don't use a separate socket for the stderr stream. This can be
|
|
necessary if rsh-ing through a NAT bridge.
|
|
.It Xo
|
|
.Fl x ,
|
|
.Fl -encrypt
|
|
.Xc
|
|
The
|
|
.Fl x
|
|
option enables encryption for all data exchange. This is only valid
|
|
for Kerberos authenticated connections (see the
|
|
.Sx BUGS
|
|
section for limitations).
|
|
.It Xo
|
|
.Fl z
|
|
.Xc
|
|
The opposite of
|
|
.Fl x .
|
|
This is the default, but encryption can be enabled when using
|
|
Kerberos 5, by setting the
|
|
.Li libdefaults/encrypt
|
|
option in
|
|
.Xr krb5.conf 5 .
|
|
.It Xo
|
|
.Fl f ,
|
|
.Fl -forward
|
|
.Xc
|
|
Forward Kerberos 5 credentials to the remote host. Also controlled by
|
|
.Li libdefaults/forward
|
|
in
|
|
.Xr krb5.conf 5 .
|
|
.It Xo
|
|
.Fl G
|
|
.Xc
|
|
The opposite of
|
|
.Fl f .
|
|
.It Xo
|
|
.Fl F ,
|
|
.Fl -forwardable
|
|
.Xc
|
|
Make the forwarded credentials re-forwardable. Also controlled by
|
|
.Li libdefaults/forwardable
|
|
in
|
|
.Xr krb5.conf 5 .
|
|
.It Xo
|
|
.Fl u ,
|
|
.Fl -unique
|
|
.Xc
|
|
Make sure the remote credentials cache is unique, that is, don't reuse
|
|
any existing cache. Mutually exclusive to
|
|
.Fl U .
|
|
.It Xo
|
|
.Fl U Pa string ,
|
|
.Fl -tkfile= Ns Pa string
|
|
.Xc
|
|
Name of the remote credentials cache. Mutually exclusive to
|
|
.Fl u .
|
|
.It Xo
|
|
.Fl p Ar number-or-service ,
|
|
.Fl -port= Ns Ar number-or-service
|
|
.Xc
|
|
Connect to this port instead of the default (which is 514 when using
|
|
old port based authentication, 544 for Kerberos 5 and non-encrypted
|
|
Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
|
|
the contents of
|
|
.Pa /etc/services ) .
|
|
.It Xo
|
|
.Fl l Ar string ,
|
|
.Fl -user= Ns Ar string
|
|
.Xc
|
|
By default the remote username is the same as the local. The
|
|
.Fl l
|
|
option or the
|
|
.Pa username@host
|
|
format allow the remote name to be specified.
|
|
.It Xo
|
|
.Fl P Ar N|O|1|2 ,
|
|
.Fl -protocol= Ns Ar N|O|1|2
|
|
.Xc
|
|
Specifies which protocol version to use with Kerberos 5.
|
|
.Ar N
|
|
and
|
|
.Ar 2
|
|
selects protocol version 2, while
|
|
.Ar O
|
|
and
|
|
.Ar 1
|
|
selects version 1. Version 2 is beleived to be more secure, and is the
|
|
default. Unless asked for a specific version,
|
|
.Nm
|
|
will try both. This behaviour may change in the future.
|
|
.El
|
|
.\".Pp
|
|
.\"Without a
|
|
.\".Ar command
|
|
.\".Nm
|
|
.\"will just exec
|
|
.\".Xr rlogin 1
|
|
.\"with the same arguments.
|
|
.Sh EXAMPLES
|
|
Care should be taken when issuing commands containing shell meta
|
|
characters. Without quoting, these will be expanded on the local
|
|
machine.
|
|
.Pp
|
|
The following command:
|
|
.Pp
|
|
.Dl rsh otherhost cat remotefile > localfile
|
|
.Pp
|
|
will write the contents of the remote
|
|
.Pa remotefile
|
|
to the local
|
|
.Pa localfile ,
|
|
but:
|
|
.Pp
|
|
.Dl rsh otherhost 'cat remotefile > remotefile2'
|
|
.Pp
|
|
will write it to the remote
|
|
.Pa remotefile2 .
|
|
.\".Sh ENVIRONMENT
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/hosts -compact
|
|
.It Pa /etc/hosts
|
|
.El
|
|
.\".Sh DIAGNOSTICS
|
|
.Sh SEE ALSO
|
|
.Xr rlogin 1 ,
|
|
.Xr krb_realmofhost 3 ,
|
|
.Xr krb_sendauth 3 ,
|
|
.Xr hosts.equiv 5 ,
|
|
.Xr krb5.conf 5 ,
|
|
.Xr rhosts 5 ,
|
|
.Xr kerberos 8
|
|
.Xr rshd 8
|
|
.\".Sh STANDARDS
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
command appeared in
|
|
.Bx 4.2 .
|
|
.Sh AUTHORS
|
|
This implementation of
|
|
.Nm
|
|
was written as part of the Heimdal Kerberos 5 implementation.
|
|
.Sh BUGS
|
|
Some shells (notably
|
|
.Xr csh 1 )
|
|
will cause
|
|
.Nm
|
|
to block if run in the background, unless the standard input is directed away from the terminal. This is what the
|
|
.Fl n
|
|
option is for.
|
|
.Pp
|
|
The
|
|
.Fl x
|
|
options enables encryption for the session, but for both Kerberos 4
|
|
and 5 the actual command is sent unencrypted, so you should not send
|
|
any secret information in the command line (which is probably a bad
|
|
idea anyway, since the command line can usually be read with tools
|
|
like
|
|
.Xr ps 1 ) .
|
|
Forthermore in Kerberos 4 the command is not even integrity
|
|
protected, so anyone with the right tools can modify the command.
|