/crypto/heimdal/appl/rsh/rsh.1

  1.\" Copyright (c) 2002 - 2003 Kungliga Tekniska Hรถgskolan
  2.\" (Royal Institute of Technology, Stockholm, Sweden).
  3.\" All rights reserved.
  4.\"
  5.\" Redistribution and use in source and binary forms, with or without
  6.\" modification, are permitted provided that the following conditions
  7.\" are met:
  8.\"
  9.\" 1. Redistributions of source code must retain the above copyright
 10.\"    notice, this list of conditions and the following disclaimer.
 11.\"
 12.\" 2. Redistributions in binary form must reproduce the above copyright
 13.\"    notice, this list of conditions and the following disclaimer in the
 14.\"    documentation and/or other materials provided with the distribution.
 15.\"
 16.\" 3. Neither the name of the Institute nor the names of its contributors
 17.\"    may be used to endorse or promote products derived from this software
 18.\"    without specific prior written permission.
 19.\"
 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 30.\" SUCH DAMAGE.
 31.\"
 32.\"	$Id$
 33.\"
 34.Dd February 20, 2004
 35.Dt RSH 1
 36.Os HEIMDAL
 37.Sh NAME
 38.Nm rsh
 39.Nd remote shell
 40.Sh SYNOPSIS
 41.Nm
 42.Op Fl 45FGKdefnuxz
 43.Op Fl U Pa string
 44.Op Fl p Ar port
 45.Op Fl l Ar username
 46.Op Fl P Ar N|O
 47.Ar host [command]
 48.Sh DESCRIPTION
 49.Nm
 50authenticates to the
 51.Xr rshd 8
 52daemon on the remote
 53.Ar host ,
 54and then executes the specified
 55.Ar command .
 56.Pp
 57.Nm
 58copies its standard input to the remote command, and the standard
 59output and error of the remote command to its own.
 60.Pp
 61Valid options are:
 62.Bl -tag -width Ds
 63.It Xo
 64.Fl 4 ,
 65.Fl Fl krb4
 66.Xc
 67The
 68.Fl 4
 69option requests Kerberos 4 authentication. Normally all supported
 70authentication mechanisms will be tried, but in some cases more
 71explicit control is desired.
 72.It Xo
 73.Fl 5 ,
 74.Fl Fl krb5
 75.Xc
 76The
 77.Fl 5
 78option requests Kerberos 5 authentication. This is analogous to the
 79.Fl 4
 80option.
 81.It Xo
 82.Fl K ,
 83.Fl Fl broken
 84.Xc
 85The
 86.Fl K
 87option turns off all Kerberos authentication. The security in this
 88mode relies on reserved ports. The long name is an indication of how
 89good this is.
 90.It Xo
 91.Fl n ,
 92.Fl Fl no-input
 93.Xc
 94The
 95.Fl n
 96option directs the input from the
 97.Pa /dev/null
 98device (see the
 99.Sx BUGS
100section of this manual page).
101.It Fl d
102Enable
103.Xr setsockopt 2
104socket debugging.
105.It Xo
106.Fl e ,
107.Fl Fl no-stderr
108.Xc
109Don't use a separate socket for the stderr stream. This can be
110necessary if rsh-ing through a NAT bridge.
111.It Xo
112.Fl x ,
113.Fl Fl encrypt
114.Xc
115The
116.Fl x
117option enables encryption for all data exchange. This is only valid
118for Kerberos authenticated connections (see the
119.Sx BUGS
120section for limitations).
121.It Xo
122.Fl z
123.Xc
124The opposite of
125.Fl x .
126This is the default, and is mainly useful if encryption has been
127enabled by default, for instance in the
128.Li appdefaults
129section of
130.Pa /etc/krb5.conf
131when using Kerberos 5.
132.It Xo
133.Fl f ,
134.Fl Fl forward
135.Xc
136Forward Kerberos 5 credentials to the remote host.
137Also settable via
138.Li appdefaults
139(see
140.Xr krb5.conf ) .
141.It Xo
142.Fl F ,
143.Fl Fl forwardable
144.Xc
145Make the forwarded credentials re-forwardable.
146Also settable via
147.Li appdefaults
148(see
149.Xr krb5.conf ) .
150.It Xo
151.Fl l Ar string ,
152.Fl Fl user= Ns Ar string
153.Xc
154By default the remote username is the same as the local. The
155.Fl l
156option or the
157.Pa username@host
158format allow the remote name to be specified.
159.It Xo
160.Fl n ,
161.Fl Fl no-input
162.Xc
163Direct input from
164.Pa /dev/null
165(see the
166.Sx BUGS
167section).
168.It Xo
169.Fl p Ar number-or-service ,
170.Fl Fl port= Ns Ar number-or-service
171.Xc
172Connect to this port instead of the default (which is 514 when using
173old port based authentication, 544 for Kerberos 5 and non-encrypted
174Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
175the contents of
176.Pa /etc/services ) .
177.It Xo
178.Fl P Ar N|O|1|2 ,
179.Fl Fl protocol= Ns Ar N|O|1|2
180.Xc
181Specifies the protocol version to use with Kerberos 5.
182.Ar N
183and
184.Ar 2
185select protocol version 2, while
186.Ar O
187and
188.Ar 1
189select version 1. Version 2 is believed to be more secure, and is the
190default. Unless asked for a specific version,
191.Nm
192will try both.  This behaviour may change in the future.
193.It Xo
194.Fl u ,
195.Fl Fl unique
196.Xc
197Make sure the remote credentials cache is unique, that is, don't reuse
198any existing cache. Mutually exclusive to
199.Fl U .
200.It Xo
201.Fl U Pa string ,
202.Fl Fl tkfile= Ns Pa string
203.Xc
204Name of the remote credentials cache. Mutually exclusive to
205.Fl u .
206.It Xo
207.Fl x ,
208.Fl Fl encrypt
209.Xc
210The
211.Fl x
212option enables encryption for all data exchange. This is only valid
213for Kerberos authenticated connections (see the
214.Sx BUGS
215section for limitations).
216.It Fl z
217The opposite of
218.Fl x .
219This is the default, but encryption can be enabled when using
220Kerberos 5, by setting the
221.Li libdefaults/encrypt
222option in
223.Xr krb5.conf 5 .
224.El
225.\".Pp
226.\"Without a
227.\".Ar command
228.\".Nm
229.\"will just exec
230.\".Xr rlogin 1
231.\"with the same arguments.
232.Sh EXAMPLES
233Care should be taken when issuing commands containing shell meta
234characters. Without quoting, these will be expanded on the local
235machine.
236.Pp
237The following command:
238.Pp
239.Dl rsh otherhost cat remotefile \*[Gt] localfile
240.Pp
241will write the contents of the remote
242.Pa remotefile
243to the local
244.Pa localfile ,
245but:
246.Pp
247.Dl rsh otherhost 'cat remotefile \*[Gt] remotefile2'
248.Pp
249will write it to the remote
250.Pa remotefile2 .
251.\".Sh ENVIRONMENT
252.Sh FILES
253.Bl -tag -width /etc/hosts -compact
254.It Pa /etc/hosts
255.El
256.\".Sh DIAGNOSTICS
257.Sh SEE ALSO
258.Xr rlogin 1 ,
259.Xr krb_realmofhost 3 ,
260.Xr krb_sendauth 3 ,
261.Xr hosts.equiv 5 ,
262.Xr krb5.conf 5 ,
263.Xr rhosts 5 ,
264.Xr kerberos 8
265.Xr rshd 8
266.\".Sh STANDARDS
267.Sh HISTORY
268The
269.Nm
270command appeared in
271.Bx 4.2 .
272.Sh AUTHORS
273This implementation of
274.Nm
275was written as part of the Heimdal Kerberos 5 implementation.
276.Sh BUGS
277Some shells (notably
278.Xr csh 1 )
279will cause
280.Nm
281to block if run in the background, unless the standard input is directed away from the terminal. This is what the
282.Fl n
283option is for.
284.Pp
285The
286.Fl x
287options enables encryption for the session, but for both Kerberos 4
288and 5 the actual command is sent unencrypted, so you should not send
289any secret information in the command line (which is probably a bad
290idea anyway, since the command line can usually be read with tools
291like
292.Xr ps 1 ) .
293Forthermore in Kerberos 4 the command is not even integrity
294protected, so anyone with the right tools can modify the command.