/crypto/heimdal/appl/rsh/rsh.1

https://bitbucket.org/freebsd/freebsd-head/ · Unknown · 294 lines · 294 code · 0 blank · 0 comment · 0 complexity · a9b6b10eb8b2dd6686040acdcd5d1124 MD5 · raw file

  1. .\" Copyright (c) 2002 - 2003 Kungliga Tekniska Hรถgskolan
  2. .\" (Royal Institute of Technology, Stockholm, Sweden).
  3. .\" All rights reserved.
  4. .\"
  5. .\" Redistribution and use in source and binary forms, with or without
  6. .\" modification, are permitted provided that the following conditions
  7. .\" are met:
  8. .\"
  9. .\" 1. Redistributions of source code must retain the above copyright
  10. .\" notice, this list of conditions and the following disclaimer.
  11. .\"
  12. .\" 2. Redistributions in binary form must reproduce the above copyright
  13. .\" notice, this list of conditions and the following disclaimer in the
  14. .\" documentation and/or other materials provided with the distribution.
  15. .\"
  16. .\" 3. Neither the name of the Institute nor the names of its contributors
  17. .\" may be used to endorse or promote products derived from this software
  18. .\" without specific prior written permission.
  19. .\"
  20. .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  21. .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22. .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23. .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  24. .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25. .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26. .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27. .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28. .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29. .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30. .\" SUCH DAMAGE.
  31. .\"
  32. .\" $Id$
  33. .\"
  34. .Dd February 20, 2004
  35. .Dt RSH 1
  36. .Os HEIMDAL
  37. .Sh NAME
  38. .Nm rsh
  39. .Nd remote shell
  40. .Sh SYNOPSIS
  41. .Nm
  42. .Op Fl 45FGKdefnuxz
  43. .Op Fl U Pa string
  44. .Op Fl p Ar port
  45. .Op Fl l Ar username
  46. .Op Fl P Ar N|O
  47. .Ar host [command]
  48. .Sh DESCRIPTION
  49. .Nm
  50. authenticates to the
  51. .Xr rshd 8
  52. daemon on the remote
  53. .Ar host ,
  54. and then executes the specified
  55. .Ar command .
  56. .Pp
  57. .Nm
  58. copies its standard input to the remote command, and the standard
  59. output and error of the remote command to its own.
  60. .Pp
  61. Valid options are:
  62. .Bl -tag -width Ds
  63. .It Xo
  64. .Fl 4 ,
  65. .Fl Fl krb4
  66. .Xc
  67. The
  68. .Fl 4
  69. option requests Kerberos 4 authentication. Normally all supported
  70. authentication mechanisms will be tried, but in some cases more
  71. explicit control is desired.
  72. .It Xo
  73. .Fl 5 ,
  74. .Fl Fl krb5
  75. .Xc
  76. The
  77. .Fl 5
  78. option requests Kerberos 5 authentication. This is analogous to the
  79. .Fl 4
  80. option.
  81. .It Xo
  82. .Fl K ,
  83. .Fl Fl broken
  84. .Xc
  85. The
  86. .Fl K
  87. option turns off all Kerberos authentication. The security in this
  88. mode relies on reserved ports. The long name is an indication of how
  89. good this is.
  90. .It Xo
  91. .Fl n ,
  92. .Fl Fl no-input
  93. .Xc
  94. The
  95. .Fl n
  96. option directs the input from the
  97. .Pa /dev/null
  98. device (see the
  99. .Sx BUGS
  100. section of this manual page).
  101. .It Fl d
  102. Enable
  103. .Xr setsockopt 2
  104. socket debugging.
  105. .It Xo
  106. .Fl e ,
  107. .Fl Fl no-stderr
  108. .Xc
  109. Don't use a separate socket for the stderr stream. This can be
  110. necessary if rsh-ing through a NAT bridge.
  111. .It Xo
  112. .Fl x ,
  113. .Fl Fl encrypt
  114. .Xc
  115. The
  116. .Fl x
  117. option enables encryption for all data exchange. This is only valid
  118. for Kerberos authenticated connections (see the
  119. .Sx BUGS
  120. section for limitations).
  121. .It Xo
  122. .Fl z
  123. .Xc
  124. The opposite of
  125. .Fl x .
  126. This is the default, and is mainly useful if encryption has been
  127. enabled by default, for instance in the
  128. .Li appdefaults
  129. section of
  130. .Pa /etc/krb5.conf
  131. when using Kerberos 5.
  132. .It Xo
  133. .Fl f ,
  134. .Fl Fl forward
  135. .Xc
  136. Forward Kerberos 5 credentials to the remote host.
  137. Also settable via
  138. .Li appdefaults
  139. (see
  140. .Xr krb5.conf ) .
  141. .It Xo
  142. .Fl F ,
  143. .Fl Fl forwardable
  144. .Xc
  145. Make the forwarded credentials re-forwardable.
  146. Also settable via
  147. .Li appdefaults
  148. (see
  149. .Xr krb5.conf ) .
  150. .It Xo
  151. .Fl l Ar string ,
  152. .Fl Fl user= Ns Ar string
  153. .Xc
  154. By default the remote username is the same as the local. The
  155. .Fl l
  156. option or the
  157. .Pa username@host
  158. format allow the remote name to be specified.
  159. .It Xo
  160. .Fl n ,
  161. .Fl Fl no-input
  162. .Xc
  163. Direct input from
  164. .Pa /dev/null
  165. (see the
  166. .Sx BUGS
  167. section).
  168. .It Xo
  169. .Fl p Ar number-or-service ,
  170. .Fl Fl port= Ns Ar number-or-service
  171. .Xc
  172. Connect to this port instead of the default (which is 514 when using
  173. old port based authentication, 544 for Kerberos 5 and non-encrypted
  174. Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
  175. the contents of
  176. .Pa /etc/services ) .
  177. .It Xo
  178. .Fl P Ar N|O|1|2 ,
  179. .Fl Fl protocol= Ns Ar N|O|1|2
  180. .Xc
  181. Specifies the protocol version to use with Kerberos 5.
  182. .Ar N
  183. and
  184. .Ar 2
  185. select protocol version 2, while
  186. .Ar O
  187. and
  188. .Ar 1
  189. select version 1. Version 2 is believed to be more secure, and is the
  190. default. Unless asked for a specific version,
  191. .Nm
  192. will try both. This behaviour may change in the future.
  193. .It Xo
  194. .Fl u ,
  195. .Fl Fl unique
  196. .Xc
  197. Make sure the remote credentials cache is unique, that is, don't reuse
  198. any existing cache. Mutually exclusive to
  199. .Fl U .
  200. .It Xo
  201. .Fl U Pa string ,
  202. .Fl Fl tkfile= Ns Pa string
  203. .Xc
  204. Name of the remote credentials cache. Mutually exclusive to
  205. .Fl u .
  206. .It Xo
  207. .Fl x ,
  208. .Fl Fl encrypt
  209. .Xc
  210. The
  211. .Fl x
  212. option enables encryption for all data exchange. This is only valid
  213. for Kerberos authenticated connections (see the
  214. .Sx BUGS
  215. section for limitations).
  216. .It Fl z
  217. The opposite of
  218. .Fl x .
  219. This is the default, but encryption can be enabled when using
  220. Kerberos 5, by setting the
  221. .Li libdefaults/encrypt
  222. option in
  223. .Xr krb5.conf 5 .
  224. .El
  225. .\".Pp
  226. .\"Without a
  227. .\".Ar command
  228. .\".Nm
  229. .\"will just exec
  230. .\".Xr rlogin 1
  231. .\"with the same arguments.
  232. .Sh EXAMPLES
  233. Care should be taken when issuing commands containing shell meta
  234. characters. Without quoting, these will be expanded on the local
  235. machine.
  236. .Pp
  237. The following command:
  238. .Pp
  239. .Dl rsh otherhost cat remotefile \*[Gt] localfile
  240. .Pp
  241. will write the contents of the remote
  242. .Pa remotefile
  243. to the local
  244. .Pa localfile ,
  245. but:
  246. .Pp
  247. .Dl rsh otherhost 'cat remotefile \*[Gt] remotefile2'
  248. .Pp
  249. will write it to the remote
  250. .Pa remotefile2 .
  251. .\".Sh ENVIRONMENT
  252. .Sh FILES
  253. .Bl -tag -width /etc/hosts -compact
  254. .It Pa /etc/hosts
  255. .El
  256. .\".Sh DIAGNOSTICS
  257. .Sh SEE ALSO
  258. .Xr rlogin 1 ,
  259. .Xr krb_realmofhost 3 ,
  260. .Xr krb_sendauth 3 ,
  261. .Xr hosts.equiv 5 ,
  262. .Xr krb5.conf 5 ,
  263. .Xr rhosts 5 ,
  264. .Xr kerberos 8
  265. .Xr rshd 8
  266. .\".Sh STANDARDS
  267. .Sh HISTORY
  268. The
  269. .Nm
  270. command appeared in
  271. .Bx 4.2 .
  272. .Sh AUTHORS
  273. This implementation of
  274. .Nm
  275. was written as part of the Heimdal Kerberos 5 implementation.
  276. .Sh BUGS
  277. Some shells (notably
  278. .Xr csh 1 )
  279. will cause
  280. .Nm
  281. to block if run in the background, unless the standard input is directed away from the terminal. This is what the
  282. .Fl n
  283. option is for.
  284. .Pp
  285. The
  286. .Fl x
  287. options enables encryption for the session, but for both Kerberos 4
  288. and 5 the actual command is sent unencrypted, so you should not send
  289. any secret information in the command line (which is probably a bad
  290. idea anyway, since the command line can usually be read with tools
  291. like
  292. .Xr ps 1 ) .
  293. Forthermore in Kerberos 4 the command is not even integrity
  294. protected, so anyone with the right tools can modify the command.