1rsh(1)                           User Commands                          rsh(1)
2
3
4

NAME

6       rsh, remsh, remote_shell - remote shell
7

SYNOPSIS

9       rsh [-n] [-a] [-K] [-PN | -PO] [-x] [-f | -F] [-l username]
10            [-k realm] hostname command
11
12
13       rsh hostname [-n] [-a] [-K] [-PN | -PO] [-x] [-f | -F]
14            [-l username] [-k realm] command
15
16
17       remsh [-n] [-a] [-K] [-PN | -PO] [-x] [-f | -F] [-l username]
18            [-k realm] hostname command
19
20
21       remsh hostname [-n] [-a] [-K] [-PN | -PO] [-x] [-f | -F]
22            [-l username] [-k realm] command
23
24
25        hostname [-n] [-a] [-PN | -PO] [-x] [-f | -F]
26            [-l username] [-k realm] command
27
28

DESCRIPTION

30       The  rsh  utility  connects  to the specified hostname and executes the
31       specified command. rsh copies its standard input to the remote command,
32       the  standard  output of the remote command to its standard output, and
33       the standard error of the remote command to its standard error.  Inter‐
34       rupt, quit, and terminate signals are propagated to the remote command.
35       rsh normally terminates when the remote command does.
36
37
38       The user can opt for a secure session of rsh which uses Kerberos V5 for
39       authentication.  Encryption of the network session traffic is also pos‐
40       sible. The rsh session can be kerberized using  any  of  the  following
41       Kerberos  specific options: -a, -PN or -PO, -x, -f or -F, and -k realm.
42       Some of these options (-a, -x, -PN or -PO, and -f or -F)  can  also  be
43       specified  in  the  [appdefaults] section of krb5.conf(4). The usage of
44       these options and the expected behavior is  discussed  in  the  OPTIONS
45       section below. If Kerberos authentication is used, authorization to the
46       account is controlled by rules in krb5_auth_rules(5).  If  this  autho‐
47       rization  fails, fallback to normal rsh using rhosts occurs only if the
48       -PO option is used explicitly on the command line or  is  specified  in
49       krb5.conf(4).  Also, the -PN or -PO, -x, -f or -F, and -k realm options
50       are just supersets of the -a option.
51
52
53       If you omit command, instead of executing a single  command,  rsh  logs
54       you in on the remote host using rlogin(1).
55
56
57       rsh does not return the exit status code of command.
58
59
60       Shell  metacharacters which are not quoted are interpreted on the local
61       machine, while quoted metacharacters  are  interpreted  on  the  remote
62       machine. See EXAMPLES.
63
64
65       If  there  is no locale setting in the initialization file of the login
66       shell (.cshrc, . . .) for a particular user, rsh  always  executes  the
67       command  in  the  "C" locale instead of using the default locale of the
68       remote machine.
69
70
71       The command is sent unencrypted to the remote  system.  All  subsequent
72       network session traffic is encrypted. See -x.
73

OPTIONS

75       The following options are supported:
76
77       -a             Explicitly enable Kerberos authentication and trusts the
78                      .k5login file for access-control. If  the  authorization
79                      check  by in.rshd(1M) on the server-side succeeds and if
80                      the .k5login file permits access, the user is allowed to
81                      carry out the command.
82
83
84       -f             Forward a copy of the local credentials (Kerberos Ticket
85                      Granting Ticket) to the remote system. This  is  a  non-
86                      forwardable  ticket  granting  ticket.  Forward a ticket
87                      granting ticket if you need to authenticate yourself  to
88                      other Kerberized network services on the remote host. An
89                      example would be if your home directory  on  the  remote
90                      host is NFS mounted by way of Kerberos V5. If your local
91                      credentials are not forwarded in this case,  you  cannot
92                      access  your  home  directory.  This  option is mutually
93                      exclusive with the -F option.
94
95
96       -F             Forward a forwardable  copy  of  the  local  credentials
97                      (Kerberos  Ticket Granting Ticket) to the remote system.
98                      The -F option provides a superset of  the  functionality
99                      offered  by  the  -f  option.  For  example, with the -f
100                      option, if, after you connected to the remote host, your
101                      remote   command   attempted   to  invoke  /usr/bin/ftp,
102                      /usr/bin/telnet, /usr/bin/rlogin, or /usr/bin/rsh,  with
103                      the  -f or -F options, the attempt would fail. Thus, you
104                      would be unable to push  your  single  network  sign  on
105                      trust  beyond one system. This option is mutually exclu‐
106                      sive with the -f option.
107
108
109       -k realm       Causes rsh to obtain tickets  for  the  remote  host  in
110                      realm  instead  of the remote host's realm as determined
111                      by krb5.conf(4).
112
113
114       -K             This option explicitly disables Kerberos authentication.
115                      It  can  be  used  to override the autologin variable in
116                      krb5.conf(4).
117
118
119       -l username    Uses username as the remote  username  instead  of  your
120                      local  username.  In  the  absence  of  this option, the
121                      remote username is the same as your local username.
122
123
124       -n             Redirect the input of rsh to  /dev/null.  You  sometimes
125                      need  this  option  to  avoid  unfortunate  interactions
126                      between rsh and the shell which invokes it. For example,
127                      if  you  are  running  rsh and invoke a rsh in the back‐
128                      ground without redirecting its input away from the  ter‐
129                      minal,  it  blocks  even  if  no reads are posted by the
130                      remote command. The -n option prevents this.
131
132
133       -PO            Explicitly request new (-PN) or old (-PO) version of the
134       -PN            Kerberos  "rcmd"  protocol. The new protocol avoids many
135                      security problems  prevalant  in  the  old  one  and  is
136                      regarded much more secure, but is not interoperable with
137                      older (MIT/SEAM) servers. The new protocol  is  used  by
138                      default, unless explicitly specified using these options
139                      or through krb5.conf(4). If Kerberos authorization fails
140                      when using the old "rcmd" protocol, there is fallback to
141                      regular, non-kerberized rsh. This is not the  case  when
142                      the new, more secure "rcmd" protocol is used.
143
144
145       -x             Cause  the  network session traffic to be encrypted. See
146                      DESCRIPTION.
147
148
149
150       The type of remote shell (sh, rsh,  or  other)  is  determined  by  the
151       user's entry in the file /etc/passwd on the remote system.
152

OPERANDS

154       The following operand is supported:
155
156       command    The command to be executed on the specified hostname.
157
158

USAGE

160       See  largefile(5)  for the description of the behavior of rsh and remsh
161       when encountering files greater than or equal to 2 Gbyte ( 2^31 bytes).
162
163
164       The rsh and remsh commands are IPv6-enabled. See ip6(7P). IPv6  is  not
165       currently supported with Kerberos V5 authentication.
166
167
168       Hostnames  are  given  in the hosts database, which can be contained in
169       the /etc/hosts file, the Internet domain name database, or  both.  Each
170       host  has  one official name (the first name in the database entry) and
171       optionally one or more nicknames. Official hostnames or  nicknames  can
172       be given as hostname.
173
174
175       If  the  name  of the file from which rsh is executed is anything other
176       than rsh, rsh takes this name as its hostname argument. This allows you
177       to create a symbolic link to rsh in the name of a host which, when exe‐
178       cuted, invokes a remote shell on that host. By creating a directory and
179       populating  it with symbolic links in the names of commonly used hosts,
180       then including the directory in your shell's search path, you  can  run
181       rsh by typing hostname to your shell.
182
183
184       If rsh is invoked with the basename remsh, rsh checks for the existence
185       of the file /usr/bin/remsh. If this file  exists,  rsh  behaves  as  if
186       remsh  is  an  alias  for  rsh.  If  /usr/bin/remsh does not exist, rsh
187       behaves as if remsh is a host name.
188
189
190       For the kerberized rsh session, each user can have a private authoriza‐
191       tion list in a file .k5login in their home directory. Each line in this
192       file should contain a Kerberos  principal  name  of  the  form  princi‐
193       pal/instance@realm.  If  there  is  a  ~/.k5login  file, then access is
194       granted to the account if and only if the originater user is  authenti‐
195       cated to one of the principals named in the ~/.k5login file. Otherwise,
196       the originating user is granted access to the account if  and  only  if
197       the authenticated principal name of the user can be mapped to the local
198       account name using the authenticated-principal-namelocal-user-name
199       mapping  rules.  The .k5login file (for access control) comes into play
200       only when Kerberos authentication is being done.
201
202
203       For the non-secure rsh session, each remote machine  can  have  a  file
204       named  /etc/hosts.equiv  containing  a  list  of trusted hostnames with
205       which it shares usernames. Users with the same  username  on  both  the
206       local  and  remote  machine can run rsh from the machines listed in the
207       remote machine's /etc/hosts.equiv file. Individual users can set  up  a
208       similar  private  equivalence  list with the file .rhosts in their home
209       directories. Each line in this file contains two names: a hostname  and
210       a username separated by a space. The entry permits the user named user‐
211       name who is logged into hostname  to  use  rsh  to  access  the  remote
212       machine  as the remote user. If the name of the local host is not found
213       in the /etc/hosts.equiv file on the remote machine, and the local user‐
214       name and hostname are not found in the remote user's .rhosts file, then
215       the access is denied. The hostnames listed in the /etc/hosts.equiv  and
216       .rhosts  files must be the official hostnames listed in the hosts data‐
217       base; nicknames can not be used in either of these files.
218
219
220       You cannot log in using rsh as a trusted user from a  trusted  hostname
221       if the trusted user account is locked.
222
223
224       rsh  does  not  prompt for a password if access is denied on the remote
225       machine unless the command argument is omitted.
226

EXAMPLES

228       Example 1 Using rsh to Append Files
229
230
231       The following command appends the  remote  file  lizard.file  from  the
232       machine  called  lizard  to the file called example.file on the machine
233       called example:
234
235
236         example% rsh lizard cat lizard.file >> example.file
237
238
239
240
241       The following command appends  the  file  lizard.file  on  the  machine
242       called  lizard  to  the  file  lizard.file2  which  also resides on the
243       machine called lizard:
244
245
246         example% rsh lizard cat lizard.file ">>" lizard.file2
247
248
249

EXIT STATUS

251       The following exit values are returned:
252
253       0    Successful completion.
254
255
256       1    An error occurred.
257
258

FILES

260       /etc/hosts             Internet host table
261
262
263       /etc/hosts.equiv       Trusted remote hosts and users
264
265
266       /etc/passwd            System password file
267
268
269       $HOME/.k5login         File containing  Kerberos  principals  that  are
270                              allowed access
271
272
273       /etc/krb5/krb5.conf    Kerberos configuration file
274
275

ATTRIBUTES

277       See attributes(5) for descriptions of the following attributes:
278
279
280
281
282       ┌─────────────────────────────┬─────────────────────────────┐
283       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
284       ├─────────────────────────────┼─────────────────────────────┤
285       │Availability                 │SUNWrcmdc                    │
286       ├─────────────────────────────┼─────────────────────────────┤
287       │CSI                          │Enabled                      │
288       └─────────────────────────────┴─────────────────────────────┘
289

SEE ALSO

291       on(1),  rlogin(1),  ssh(1),  telnet(1),  vi(1),  in.rshd(1M), hosts(4),
292       hosts.equiv(4), krb5.conf(4), attributes(5), krb5_auth_rules(5), large‐
293       file(5), ip6(7P)
294

NOTES

296       When a system is listed in hosts.equiv, its security must be as good as
297       local security. One insecure system listed in hosts.equiv  can  compro‐
298       mise the security of the entire system.
299
300
301       You  cannot  run  an interactive command (such as vi(1)). Use rlogin if
302       you wish to do this.
303
304
305       Stop signals stop the local rsh process only. This is  arguably  wrong,
306       but currently hard to fix for reasons too complicated to explain here.
307
308
309       The current local environment is not passed to the remote shell.
310
311
312       Sometimes  the -n option is needed for reasons that are less than obvi‐
313       ous. For example, the command:
314
315         example% rsh somehost dd if=/dev/nrmt0 bs=20b | tar xvpBf −
316
317
318
319
320       puts your shell into a strange state. Evidently, the tar process termi‐
321       nates  before the rsh process. The rsh command then tries to write into
322       the ``broken pipe'' and, instead of  terminating  neatly,  proceeds  to
323       compete  with  your shell for its standard input. Invoking rsh with the
324       -n option avoids such incidents.
325
326
327       This bug occurs only when rsh is at the beginning of a pipeline and  is
328       not  reading  standard  input. Do not use the -n option if rsh actually
329       needs to read standard input. For example:
330
331         example% tar cf − . | rsh sundial dd of=/dev/rmt0 obs=20b
332
333
334
335
336       does not produce the bug. If you were to use the -n option  in  a  case
337       like  this,  rsh  would incorrectly read from /dev/null instead of from
338       the pipe.
339
340
341       For most purposes, ssh(1) is preferred over rsh.
342
343
344
345SunOS 5.11                        23 Dec 2008                           rsh(1)
Impressum