source: heimdal/trunk/appl/rsh/rsh.cat1@ 4

RSH(1)                    BSD General Commands Manual                   RSH(1)

NNAAMMEE
     rrsshh -- remote shell

SSYYNNOOPPSSIISS
     rrsshh [--4455FFGGKKddeeffnnuuxxzz] [--UU _s_t_r_i_n_g] [--pp _p_o_r_t] [--ll _u_s_e_r_n_a_m_e] [--PP _N_|_O] _h_o_s_t
         _[_c_o_m_m_a_n_d_]

DDEESSCCRRIIPPTTIIOONN
     rrsshh authenticates to the rshd(8) daemon on the remote _h_o_s_t, and then exe-
     cutes the specified _c_o_m_m_a_n_d.

     rrsshh copies its standard input to the remote command, and the standard
     output and error of the remote command to its own.

     Valid options are:

     --44, ----kkrrbb44
             The --44 option requests Kerberos 4 authentication. Normally all
             supported authentication mechanisms will be tried, but in some
             cases more explicit control is desired.

     --55, ----kkrrbb55
             The --55 option requests Kerberos 5 authentication. This is analo-
             gous to the --44 option.

     --KK, ----bbrrookkeenn
             The --KK option turns off all Kerberos authentication. The security
             in this mode relies on reserved ports. The long name is an indi-
             cation of how good this is.

     --nn, ----nnoo--iinnppuutt
             The --nn option directs the input from the _/_d_e_v_/_n_u_l_l device (see
             the _B_U_G_S section of this manual page).

     --dd      Enable setsockopt(2) socket debugging.

     --ee, ----nnoo--ssttddeerrrr
             Don't use a separate socket for the stderr stream. This can be
             necessary if rsh-ing through a NAT bridge.

     --xx, ----eennccrryypptt
             The --xx option enables encryption for all data exchange. This is
             only valid for Kerberos authenticated connections (see the _B_U_G_S
             section for limitations).

     --zz      The opposite of --xx.  This is the default, and is mainly useful if
             encryption has been enabled by default, for instance in the
             appdefaults section of _/_e_t_c_/_k_r_b_5_._c_o_n_f when using Kerberos 5.

     --ff, ----ffoorrwwaarrdd
             Forward Kerberos 5 credentials to the remote host.  Also settable
             via appdefaults (see krb5.conf).

     --FF, ----ffoorrwwaarrddaabbllee
             Make the forwarded credentials re-forwardable.  Also settable via
             appdefaults (see krb5.conf).

     --ll _s_t_r_i_n_g, ----uusseerr==_s_t_r_i_n_g
             By default the remote username is the same as the local. The --ll
             option or the _u_s_e_r_n_a_m_e_@_h_o_s_t format allow the remote name to be
             specified.

     --nn, ----nnoo--iinnppuutt
             Direct input from _/_d_e_v_/_n_u_l_l (see the _B_U_G_S section).

     --pp _n_u_m_b_e_r_-_o_r_-_s_e_r_v_i_c_e, ----ppoorrtt==_n_u_m_b_e_r_-_o_r_-_s_e_r_v_i_c_e
             Connect to this port instead of the default (which is 514 when
             using old port based authentication, 544 for Kerberos 5 and non-
             encrypted Kerberos 4, and 545 for encrytpted Kerberos 4; subject
             of course to the contents of _/_e_t_c_/_s_e_r_v_i_c_e_s).

     --PP _N_|_O_|_1_|_2, ----pprroottooccooll==_N_|_O_|_1_|_2
             Specifies the protocol version to use with Kerberos 5.  _N and _2
             select protocol version 2, while _O and _1 select version 1. Ver-
             sion 2 is believed to be more secure, and is the default. Unless
             asked for a specific version, rrsshh will try both.  This behaviour
             may change in the future.

     --uu, ----uunniiqquuee
             Make sure the remote credentials cache is unique, that is, don't
             reuse any existing cache. Mutually exclusive to --UU.

     --UU _s_t_r_i_n_g, ----ttkkffiillee==_s_t_r_i_n_g
             Name of the remote credentials cache. Mutually exclusive to --uu.

     --xx, ----eennccrryypptt
             The --xx option enables encryption for all data exchange. This is
             only valid for Kerberos authenticated connections (see the _B_U_G_S
             section for limitations).

     --zz      The opposite of --xx.  This is the default, but encryption can be
             enabled when using Kerberos 5, by setting the libdefaults/encrypt
             option in krb5.conf(5).

EEXXAAMMPPLLEESS
     Care should be taken when issuing commands containing shell meta charac-
     ters. Without quoting, these will be expanded on the local machine.

     The following command:

           rsh otherhost cat remotefile > localfile

     will write the contents of the remote _r_e_m_o_t_e_f_i_l_e to the local _l_o_c_a_l_f_i_l_e,
     but:

           rsh otherhost 'cat remotefile > remotefile2'

     will write it to the remote _r_e_m_o_t_e_f_i_l_e_2.

FFIILLEESS
     /etc/hosts

SSEEEE AALLSSOO
     rlogin(1), krb_realmofhost(3), krb_sendauth(3), hosts.equiv(5),
     krb5.conf(5), rhosts(5), kerberos(8) rshd(8)

HHIISSTTOORRYY
     The rrsshh command appeared in 4.2BSD.

AAUUTTHHOORRSS
     This implementation of rrsshh was written as part of the Heimdal Kerberos 5
     implementation.

BBUUGGSS
     Some shells (notably csh(1)) will cause rrsshh to block if run in the back-
     ground, unless the standard input is directed away from the terminal.
     This is what the --nn option is for.

     The --xx options enables encryption for the session, but for both Kerberos
     4 and 5 the actual command is sent unencrypted, so you should not send
     any secret information in the command line (which is probably a bad idea
     anyway, since the command line can usually be read with tools like
     ps(1)).  Forthermore in Kerberos 4 the command is not even integrity pro-
     tected, so anyone with the right tools can modify the command.

HEIMDAL                        February 20, 2004                       HEIMDAL