1rsh(1) User Commands rsh(1)
2
3
4
6 rsh, remsh, remote_shell - remote shell
7
9 rsh [-n] [-a] [-K] [-PN | -PO] [-x] [-f | -F] [-l username]
10 [-k realm] hostname command
11
12
13 rsh hostname [-n] [-a] [-K] [-PN | -PO] [-x] [-f | -F]
14 [-l username] [-k realm] command
15
16
17 remsh [-n] [-a] [-K] [-PN | -PO] [-x] [-f | -F] [-l username]
18 [-k realm] hostname command
19
20
21 remsh hostname [-n] [-a] [-K] [-PN | -PO] [-x] [-f | -F]
22 [-l username] [-k realm] command
23
24
25 hostname [-n] [-a] [-PN | -PO] [-x] [-f | -F]
26 [-l username] [-k realm] command
27
28
30 The rsh utility connects to the specified hostname and executes the
31 specified command. rsh copies its standard input to the remote command,
32 the standard output of the remote command to its standard output, and
33 the standard error of the remote command to its standard error. Inter‐
34 rupt, quit, and terminate signals are propagated to the remote command.
35 rsh normally terminates when the remote command does.
36
37
38 The user can opt for a secure session of rsh which uses Kerberos V5 for
39 authentication. Encryption of the network session traffic is also pos‐
40 sible. The rsh session can be kerberized using any of the following
41 Kerberos specific options: -a, -PN or -PO, -x, -f or -F, and -k realm.
42 Some of these options (-a, -x, -PN or -PO, and -f or -F) can also be
43 specified in the [appdefaults] section of krb5.conf(4). The usage of
44 these options and the expected behavior is discussed in the OPTIONS
45 section below. If Kerberos authentication is used, authorization to the
46 account is controlled by rules in krb5_auth_rules(5). If this autho‐
47 rization fails, fallback to normal rsh using rhosts occurs only if the
48 -PO option is used explicitly on the command line or is specified in
49 krb5.conf(4). Also, the -PN or -PO, -x, -f or -F, and -k realm options
50 are just supersets of the -a option.
51
52
53 If you omit command, instead of executing a single command, rsh logs
54 you in on the remote host using rlogin(1).
55
56
57 rsh does not return the exit status code of command.
58
59
60 Shell metacharacters which are not quoted are interpreted on the local
61 machine, while quoted metacharacters are interpreted on the remote
62 machine. See EXAMPLES.
63
64
65 If there is no locale setting in the initialization file of the login
66 shell (.cshrc, . . .) for a particular user, rsh always executes the
67 command in the "C" locale instead of using the default locale of the
68 remote machine.
69
70
71 The command is sent unencrypted to the remote system. All subsequent
72 network session traffic is encrypted. See -x.
73
75 The following options are supported:
76
77 -a Explicitly enable Kerberos authentication and trusts the
78 .k5login file for access-control. If the authorization
79 check by in.rshd(1M) on the server-side succeeds and if
80 the .k5login file permits access, the user is allowed to
81 carry out the command.
82
83
84 -f Forward a copy of the local credentials (Kerberos Ticket
85 Granting Ticket) to the remote system. This is a non-
86 forwardable ticket granting ticket. Forward a ticket
87 granting ticket if you need to authenticate yourself to
88 other Kerberized network services on the remote host. An
89 example would be if your home directory on the remote
90 host is NFS mounted by way of Kerberos V5. If your local
91 credentials are not forwarded in this case, you cannot
92 access your home directory. This option is mutually
93 exclusive with the -F option.
94
95
96 -F Forward a forwardable copy of the local credentials
97 (Kerberos Ticket Granting Ticket) to the remote system.
98 The -F option provides a superset of the functionality
99 offered by the -f option. For example, with the -f
100 option, if, after you connected to the remote host, your
101 remote command attempted to invoke /usr/bin/ftp,
102 /usr/bin/telnet, /usr/bin/rlogin, or /usr/bin/rsh, with
103 the -f or -F options, the attempt would fail. Thus, you
104 would be unable to push your single network sign on
105 trust beyond one system. This option is mutually exclu‐
106 sive with the -f option.
107
108
109 -k realm Causes rsh to obtain tickets for the remote host in
110 realm instead of the remote host's realm as determined
111 by krb5.conf(4).
112
113
114 -K This option explicitly disables Kerberos authentication.
115 It can be used to override the autologin variable in
116 krb5.conf(4).
117
118
119 -l username Uses username as the remote username instead of your
120 local username. In the absence of this option, the
121 remote username is the same as your local username.
122
123
124 -n Redirect the input of rsh to /dev/null. You sometimes
125 need this option to avoid unfortunate interactions
126 between rsh and the shell which invokes it. For example,
127 if you are running rsh and invoke a rsh in the back‐
128 ground without redirecting its input away from the ter‐
129 minal, it blocks even if no reads are posted by the
130 remote command. The -n option prevents this.
131
132
133 -PO Explicitly request new (-PN) or old (-PO) version of the
134 -PN Kerberos "rcmd" protocol. The new protocol avoids many
135 security problems prevalant in the old one and is
136 regarded much more secure, but is not interoperable with
137 older (MIT/SEAM) servers. The new protocol is used by
138 default, unless explicitly specified using these options
139 or through krb5.conf(4). If Kerberos authorization fails
140 when using the old "rcmd" protocol, there is fallback to
141 regular, non-kerberized rsh. This is not the case when
142 the new, more secure "rcmd" protocol is used.
143
144
145 -x Cause the network session traffic to be encrypted. See
146 DESCRIPTION.
147
148
149
150 The type of remote shell (sh, rsh, or other) is determined by the
151 user's entry in the file /etc/passwd on the remote system.
152
154 The following operand is supported:
155
156 command The command to be executed on the specified hostname.
157
158
160 See largefile(5) for the description of the behavior of rsh and remsh
161 when encountering files greater than or equal to 2 Gbyte ( 2^31 bytes).
162
163
164 The rsh and remsh commands are IPv6-enabled. See ip6(7P). IPv6 is not
165 currently supported with Kerberos V5 authentication.
166
167
168 Hostnames are given in the hosts database, which can be contained in
169 the /etc/hosts file, the Internet domain name database, or both. Each
170 host has one official name (the first name in the database entry) and
171 optionally one or more nicknames. Official hostnames or nicknames can
172 be given as hostname.
173
174
175 If the name of the file from which rsh is executed is anything other
176 than rsh, rsh takes this name as its hostname argument. This allows you
177 to create a symbolic link to rsh in the name of a host which, when exe‐
178 cuted, invokes a remote shell on that host. By creating a directory and
179 populating it with symbolic links in the names of commonly used hosts,
180 then including the directory in your shell's search path, you can run
181 rsh by typing hostname to your shell.
182
183
184 If rsh is invoked with the basename remsh, rsh checks for the existence
185 of the file /usr/bin/remsh. If this file exists, rsh behaves as if
186 remsh is an alias for rsh. If /usr/bin/remsh does not exist, rsh
187 behaves as if remsh is a host name.
188
189
190 For the kerberized rsh session, each user can have a private authoriza‐
191 tion list in a file .k5login in their home directory. Each line in this
192 file should contain a Kerberos principal name of the form princi‐
193 pal/instance@realm. If there is a ~/.k5login file, then access is
194 granted to the account if and only if the originater user is authenti‐
195 cated to one of the principals named in the ~/.k5login file. Otherwise,
196 the originating user is granted access to the account if and only if
197 the authenticated principal name of the user can be mapped to the local
198 account name using the authenticated-principal-name → local-user-name
199 mapping rules. The .k5login file (for access control) comes into play
200 only when Kerberos authentication is being done.
201
202
203 For the non-secure rsh session, each remote machine can have a file
204 named /etc/hosts.equiv containing a list of trusted hostnames with
205 which it shares usernames. Users with the same username on both the
206 local and remote machine can run rsh from the machines listed in the
207 remote machine's /etc/hosts.equiv file. Individual users can set up a
208 similar private equivalence list with the file .rhosts in their home
209 directories. Each line in this file contains two names: a hostname and
210 a username separated by a space. The entry permits the user named user‐
211 name who is logged into hostname to use rsh to access the remote
212 machine as the remote user. If the name of the local host is not found
213 in the /etc/hosts.equiv file on the remote machine, and the local user‐
214 name and hostname are not found in the remote user's .rhosts file, then
215 the access is denied. The hostnames listed in the /etc/hosts.equiv and
216 .rhosts files must be the official hostnames listed in the hosts data‐
217 base; nicknames can not be used in either of these files.
218
219
220 You cannot log in using rsh as a trusted user from a trusted hostname
221 if the trusted user account is locked.
222
223
224 rsh does not prompt for a password if access is denied on the remote
225 machine unless the command argument is omitted.
226
228 Example 1 Using rsh to Append Files
229
230
231 The following command appends the remote file lizard.file from the
232 machine called lizard to the file called example.file on the machine
233 called example:
234
235
236 example% rsh lizard cat lizard.file >> example.file
237
238
239
240
241 The following command appends the file lizard.file on the machine
242 called lizard to the file lizard.file2 which also resides on the
243 machine called lizard:
244
245
246 example% rsh lizard cat lizard.file ">>" lizard.file2
247
248
249
251 The following exit values are returned:
252
253 0 Successful completion.
254
255
256 1 An error occurred.
257
258
260 /etc/hosts Internet host table
261
262
263 /etc/hosts.equiv Trusted remote hosts and users
264
265
266 /etc/passwd System password file
267
268
269 $HOME/.k5login File containing Kerberos principals that are
270 allowed access
271
272
273 /etc/krb5/krb5.conf Kerberos configuration file
274
275
277 See attributes(5) for descriptions of the following attributes:
278
279
280
281
282 ┌─────────────────────────────┬─────────────────────────────┐
283 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
284 ├─────────────────────────────┼─────────────────────────────┤
285 │Availability │SUNWrcmdc │
286 ├─────────────────────────────┼─────────────────────────────┤
287 │CSI │Enabled │
288 └─────────────────────────────┴─────────────────────────────┘
289
291 on(1), rlogin(1), ssh(1), telnet(1), vi(1), in.rshd(1M), hosts(4),
292 hosts.equiv(4), krb5.conf(4), attributes(5), krb5_auth_rules(5), large‐
293 file(5), ip6(7P)
294
296 When a system is listed in hosts.equiv, its security must be as good as
297 local security. One insecure system listed in hosts.equiv can compro‐
298 mise the security of the entire system.
299
300
301 You cannot run an interactive command (such as vi(1)). Use rlogin if
302 you wish to do this.
303
304
305 Stop signals stop the local rsh process only. This is arguably wrong,
306 but currently hard to fix for reasons too complicated to explain here.
307
308
309 The current local environment is not passed to the remote shell.
310
311
312 Sometimes the -n option is needed for reasons that are less than obvi‐
313 ous. For example, the command:
314
315 example% rsh somehost dd if=/dev/nrmt0 bs=20b | tar xvpBf −
316
317
318
319
320 puts your shell into a strange state. Evidently, the tar process termi‐
321 nates before the rsh process. The rsh command then tries to write into
322 the ``broken pipe'' and, instead of terminating neatly, proceeds to
323 compete with your shell for its standard input. Invoking rsh with the
324 -n option avoids such incidents.
325
326
327 This bug occurs only when rsh is at the beginning of a pipeline and is
328 not reading standard input. Do not use the -n option if rsh actually
329 needs to read standard input. For example:
330
331 example% tar cf − . | rsh sundial dd of=/dev/rmt0 obs=20b
332
333
334
335
336 does not produce the bug. If you were to use the -n option in a case
337 like this, rsh would incorrectly read from /dev/null instead of from
338 the pipe.
339
340
341 For most purposes, ssh(1) is preferred over rsh.
342
343
344
345SunOS 5.11 23 Dec 2008 rsh(1)