/crypto/heimdal/appl/rsh/rsh.1

https://bitbucket.org/freebsd/freebsd-head/ · Unknown · 294 lines · 294 code · 0 blank · 0 comment · 0 complexity · a9b6b10eb8b2dd6686040acdcd5d1124 MD5 · raw file 

    

  1. .\" Copyright (c) 2002 - 2003 Kungliga Tekniska Hรถgskolan
    2. 

  2. .\" (Royal Institute of Technology, Stockholm, Sweden).
    3. 

  3. .\" All rights reserved.
    4. 

  4. .\"
    5. 

  5. .\" Redistribution and use in source and binary forms, with or without
    6. 

  6. .\" modification, are permitted provided that the following conditions
    7. 

  7. .\" are met:
    8. 

  8. .\"
    9. 

  9. .\" 1. Redistributions of source code must retain the above copyright
    10. 

  10. .\"    notice, this list of conditions and the following disclaimer.
    11. 

  11. .\"
    12. 

  12. .\" 2. Redistributions in binary form must reproduce the above copyright
    13. 

  13. .\"    notice, this list of conditions and the following disclaimer in the
    14. 

  14. .\"    documentation and/or other materials provided with the distribution.
    15. 

  15. .\"
    16. 

  16. .\" 3. Neither the name of the Institute nor the names of its contributors
    17. 

  17. .\"    may be used to endorse or promote products derived from this software
    18. 

  18. .\"    without specific prior written permission.
    19. 

  19. .\"
    20. 

  20. .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
    21. 

  21. .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    22. 

  22. .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    23. 

  23. .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
    24. 

  24. .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    25. 

  25. .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    26. 

  26. .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    27. 

  27. .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    28. 

  28. .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    29. 

  29. .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    30. 

  30. .\" SUCH DAMAGE.
    31. 

  31. .\"
    32. 

  32. .\"	$Id$
    33. 

  33. .\"
    34. 

  34. .Dd February 20, 2004
    35. 

  35. .Dt RSH 1
    36. 

  36. .Os HEIMDAL
    37. 

  37. .Sh NAME
    38. 

  38. .Nm rsh
    39. 

  39. .Nd remote shell
    40. 

  40. .Sh SYNOPSIS
    41. 

  41. .Nm
    42. 

  42. .Op Fl 45FGKdefnuxz
    43. 

  43. .Op Fl U Pa string
    44. 

  44. .Op Fl p Ar port
    45. 

  45. .Op Fl l Ar username
    46. 

  46. .Op Fl P Ar N|O
    47. 

  47. .Ar host [command]
    48. 

  48. .Sh DESCRIPTION
    49. 

  49. .Nm
    50. 

  50. authenticates to the
    51. 

  51. .Xr rshd 8
    52. 

  52. daemon on the remote
    53. 

  53. .Ar host ,
    54. 

  54. and then executes the specified
    55. 

  55. .Ar command .
    56. 

  56. .Pp
    57. 

  57. .Nm
    58. 

  58. copies its standard input to the remote command, and the standard
    59. 

  59. output and error of the remote command to its own.
    60. 

  60. .Pp
    61. 

  61. Valid options are:
    62. 

  62. .Bl -tag -width Ds
    63. 

  63. .It Xo
    64. 

  64. .Fl 4 ,
    65. 

  65. .Fl Fl krb4
    66. 

  66. .Xc
    67. 

  67. The
    68. 

  68. .Fl 4
    69. 

  69. option requests Kerberos 4 authentication. Normally all supported
    70. 

  70. authentication mechanisms will be tried, but in some cases more
    71. 

  71. explicit control is desired.
    72. 

  72. .It Xo
    73. 

  73. .Fl 5 ,
    74. 

  74. .Fl Fl krb5
    75. 

  75. .Xc
    76. 

  76. The
    77. 

  77. .Fl 5
    78. 

  78. option requests Kerberos 5 authentication. This is analogous to the
    79. 

  79. .Fl 4
    80. 

  80. option.
    81. 

  81. .It Xo
    82. 

  82. .Fl K ,
    83. 

  83. .Fl Fl broken
    84. 

  84. .Xc
    85. 

  85. The
    86. 

  86. .Fl K
    87. 

  87. option turns off all Kerberos authentication. The security in this
    88. 

  88. mode relies on reserved ports. The long name is an indication of how
    89. 

  89. good this is.
    90. 

  90. .It Xo
    91. 

  91. .Fl n ,
    92. 

  92. .Fl Fl no-input
    93. 

  93. .Xc
    94. 

  94. The
    95. 

  95. .Fl n
    96. 

  96. option directs the input from the
    97. 

  97. .Pa /dev/null
    98. 

  98. device (see the
    99. 

  99. .Sx BUGS
    100. 

  100. section of this manual page).
    101. 

  101. .It Fl d
    102. 

  102. Enable
    103. 

  103. .Xr setsockopt 2
    104. 

  104. socket debugging.
    105. 

  105. .It Xo
    106. 

  106. .Fl e ,
    107. 

  107. .Fl Fl no-stderr
    108. 

  108. .Xc
    109. 

  109. Don't use a separate socket for the stderr stream. This can be
    110. 

  110. necessary if rsh-ing through a NAT bridge.
    111. 

  111. .It Xo
    112. 

  112. .Fl x ,
    113. 

  113. .Fl Fl encrypt
    114. 

  114. .Xc
    115. 

  115. The
    116. 

  116. .Fl x
    117. 

  117. option enables encryption for all data exchange. This is only valid
    118. 

  118. for Kerberos authenticated connections (see the
    119. 

  119. .Sx BUGS
    120. 

  120. section for limitations).
    121. 

  121. .It Xo
    122. 

  122. .Fl z
    123. 

  123. .Xc
    124. 

  124. The opposite of
    125. 

  125. .Fl x .
    126. 

  126. This is the default, and is mainly useful if encryption has been
    127. 

  127. enabled by default, for instance in the
    128. 

  128. .Li appdefaults
    129. 

  129. section of
    130. 

  130. .Pa /etc/krb5.conf
    131. 

  131. when using Kerberos 5.
    132. 

  132. .It Xo
    133. 

  133. .Fl f ,
    134. 

  134. .Fl Fl forward
    135. 

  135. .Xc
    136. 

  136. Forward Kerberos 5 credentials to the remote host.
    137. 

  137. Also settable via
    138. 

  138. .Li appdefaults
    139. 

  139. (see
    140. 

  140. .Xr krb5.conf ) .
    141. 

  141. .It Xo
    142. 

  142. .Fl F ,
    143. 

  143. .Fl Fl forwardable
    144. 

  144. .Xc
    145. 

  145. Make the forwarded credentials re-forwardable.
    146. 

  146. Also settable via
    147. 

  147. .Li appdefaults
    148. 

  148. (see
    149. 

  149. .Xr krb5.conf ) .
    150. 

  150. .It Xo
    151. 

  151. .Fl l Ar string ,
    152. 

  152. .Fl Fl user= Ns Ar string
    153. 

  153. .Xc
    154. 

  154. By default the remote username is the same as the local. The
    155. 

  155. .Fl l
    156. 

  156. option or the
    157. 

  157. .Pa username@host
    158. 

  158. format allow the remote name to be specified.
    159. 

  159. .It Xo
    160. 

  160. .Fl n ,
    161. 

  161. .Fl Fl no-input
    162. 

  162. .Xc
    163. 

  163. Direct input from
    164. 

  164. .Pa /dev/null
    165. 

  165. (see the
    166. 

  166. .Sx BUGS
    167. 

  167. section).
    168. 

  168. .It Xo
    169. 

  169. .Fl p Ar number-or-service ,
    170. 

  170. .Fl Fl port= Ns Ar number-or-service
    171. 

  171. .Xc
    172. 

  172. Connect to this port instead of the default (which is 514 when using
    173. 

  173. old port based authentication, 544 for Kerberos 5 and non-encrypted
    174. 

  174. Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
    175. 

  175. the contents of
    176. 

  176. .Pa /etc/services ) .
    177. 

  177. .It Xo
    178. 

  178. .Fl P Ar N|O|1|2 ,
    179. 

  179. .Fl Fl protocol= Ns Ar N|O|1|2
    180. 

  180. .Xc
    181. 

  181. Specifies the protocol version to use with Kerberos 5.
    182. 

  182. .Ar N
    183. 

  183. and
    184. 

  184. .Ar 2
    185. 

  185. select protocol version 2, while
    186. 

  186. .Ar O
    187. 

  187. and
    188. 

  188. .Ar 1
    189. 

  189. select version 1. Version 2 is believed to be more secure, and is the
    190. 

  190. default. Unless asked for a specific version,
    191. 

  191. .Nm
    192. 

  192. will try both.  This behaviour may change in the future.
    193. 

  193. .It Xo
    194. 

  194. .Fl u ,
    195. 

  195. .Fl Fl unique
    196. 

  196. .Xc
    197. 

  197. Make sure the remote credentials cache is unique, that is, don't reuse
    198. 

  198. any existing cache. Mutually exclusive to
    199. 

  199. .Fl U .
    200. 

  200. .It Xo
    201. 

  201. .Fl U Pa string ,
    202. 

  202. .Fl Fl tkfile= Ns Pa string
    203. 

  203. .Xc
    204. 

  204. Name of the remote credentials cache. Mutually exclusive to
    205. 

  205. .Fl u .
    206. 

  206. .It Xo
    207. 

  207. .Fl x ,
    208. 

  208. .Fl Fl encrypt
    209. 

  209. .Xc
    210. 

  210. The
    211. 

  211. .Fl x
    212. 

  212. option enables encryption for all data exchange. This is only valid
    213. 

  213. for Kerberos authenticated connections (see the
    214. 

  214. .Sx BUGS
    215. 

  215. section for limitations).
    216. 

  216. .It Fl z
    217. 

  217. The opposite of
    218. 

  218. .Fl x .
    219. 

  219. This is the default, but encryption can be enabled when using
    220. 

  220. Kerberos 5, by setting the
    221. 

  221. .Li libdefaults/encrypt
    222. 

  222. option in
    223. 

  223. .Xr krb5.conf 5 .
    224. 

  224. .El
    225. 

  225. .\".Pp
    226. 

  226. .\"Without a
    227. 

  227. .\".Ar command
    228. 

  228. .\".Nm
    229. 

  229. .\"will just exec
    230. 

  230. .\".Xr rlogin 1
    231. 

  231. .\"with the same arguments.
    232. 

  232. .Sh EXAMPLES
    233. 

  233. Care should be taken when issuing commands containing shell meta
    234. 

  234. characters. Without quoting, these will be expanded on the local
    235. 

  235. machine.
    236. 

  236. .Pp
    237. 

  237. The following command:
    238. 

  238. .Pp
    239. 

  239. .Dl rsh otherhost cat remotefile \*[Gt] localfile
    240. 

  240. .Pp
    241. 

  241. will write the contents of the remote
    242. 

  242. .Pa remotefile
    243. 

  243. to the local
    244. 

  244. .Pa localfile ,
    245. 

  245. but:
    246. 

  246. .Pp
    247. 

  247. .Dl rsh otherhost 'cat remotefile \*[Gt] remotefile2'
    248. 

  248. .Pp
    249. 

  249. will write it to the remote
    250. 

  250. .Pa remotefile2 .
    251. 

  251. .\".Sh ENVIRONMENT
    252. 

  252. .Sh FILES
    253. 

  253. .Bl -tag -width /etc/hosts -compact
    254. 

  254. .It Pa /etc/hosts
    255. 

  255. .El
    256. 

  256. .\".Sh DIAGNOSTICS
    257. 

  257. .Sh SEE ALSO
    258. 

  258. .Xr rlogin 1 ,
    259. 

  259. .Xr krb_realmofhost 3 ,
    260. 

  260. .Xr krb_sendauth 3 ,
    261. 

  261. .Xr hosts.equiv 5 ,
    262. 

  262. .Xr krb5.conf 5 ,
    263. 

  263. .Xr rhosts 5 ,
    264. 

  264. .Xr kerberos 8
    265. 

  265. .Xr rshd 8
    266. 

  266. .\".Sh STANDARDS
    267. 

  267. .Sh HISTORY
    268. 

  268. The
    269. 

  269. .Nm
    270. 

  270. command appeared in
    271. 

  271. .Bx 4.2 .
    272. 

  272. .Sh AUTHORS
    273. 

  273. This implementation of
    274. 

  274. .Nm
    275. 

  275. was written as part of the Heimdal Kerberos 5 implementation.
    276. 

  276. .Sh BUGS
    277. 

  277. Some shells (notably
    278. 

  278. .Xr csh 1 )
    279. 

  279. will cause
    280. 

  280. .Nm
    281. 

  281. to block if run in the background, unless the standard input is directed away from the terminal. This is what the
    282. 

  282. .Fl n
    283. 

  283. option is for.
    284. 

  284. .Pp
    285. 

  285. The
    286. 

  286. .Fl x
    287. 

  287. options enables encryption for the session, but for both Kerberos 4
    288. 

  288. and 5 the actual command is sent unencrypted, so you should not send
    289. 

  289. any secret information in the command line (which is probably a bad
    290. 

  290. idea anyway, since the command line can usually be read with tools
    291. 

  291. like
    292. 

  292. .Xr ps 1 ) .
    293. 

  293. Forthermore in Kerberos 4 the command is not even integrity
    294. 

  294. protected, so anyone with the right tools can modify the command.
    295.