Commands Reference, Volume 4

rsh or remsh Command

Purpose

Executes the specified command at the remote host or logs into the remote host.

Syntax

{ rsh | remsh } RemoteHost [ -a ] [ -n ] [ -l User ] [ -f | -F ] [ -k realm ] [ Command ]

Description

The /usr/bin/rsh command executes the command specified by the Command parameter at the remote host specified by the RemoteHost parameter; if the Command parameter is not specified, the rsh command logs into the remote host specified by the RemoteHost parameter. The rsh command sends standard input from the local command line to the remote command and receives standard output and standard error from the remote command.

Note

Because any input to the remote command must be specified on the local command line, you cannot use the rsh command to execute an interactive command on a remote host. If you need to execute an interactive command on a remote host, use either the rlogin command or the rsh command without specifying the Command parameter. If you do not specify the Command parameter, the rsh command executes the rlogin command instead.

Access Files

If you do not specify the -l flag, the local user name is used at the remote host. If -l User is entered, the specified user name is used at the remote host.

Using Standard Authentication

The remote host allows access only if at least one of the following conditions is satisfied:

The local user ID is not the root user, and the name of the local host is listed as an equivalent host in the remote /etc/hosts.equiv file.
If either the local user ID is the root user or the check of /etc/hosts.equiv is unsuccessful, the remote user's home directory must contain a $HOME/.rhosts file that lists the local host and user name.

Although you can set any permissions for the $HOME/.rhosts file, it is recommended that the permissions of the .rhosts file be set to 600 (read and write by owner only).

In addition to the preceding conditions, the rsh command also allows access to the remote host if the remote user account does not have a password defined. However, for security reasons, use of a password on all user accounts is recommended.

For Kerberos 5 Authentication

The remote host allows access only if all of the following conditions are satisfied:

The local user has current DCE credentials.
The local and remote systems are configured for Kerberos 5 authentication (On some remote systems, this may not be necessary. It is necessary that a daemon is listening to the klogin port).
The remote system accepts the DCE credentials as sufficient for access to the remote account. See the kvalid_user function for additional information.

Remote Command Execution

While the remote command is executing, pressing the Interrupt, Terminate, or Quit key sequences sends the corresponding signal to the remote process. However, pressing the Stop key sequence stops only the local process. Usually, when the remote command terminates, the local rsh process terminates.

To have shell metacharacters interpreted on the remote host, place the metacharacters inside " " (double quotes). Otherwise, the metacharacters are interpreted by the local shell.

When using the rsh command, you can create a link to a path (to which you have permission to write), using a host name specified by the HostName parameter as the link name. For example:

ln -s /usr/bin/rsh HostName

Having established this link, you can specify the HostName parameter and a command specified by the Command parameter from the command line, and the rsh command remotely executes the command on the remote host. The syntax is:

HostName Command

For example, if you are linked to remote host opus and want to perform the date command, enter:

opus date

Because you can not specify the -l User flag, the remote command is successful only if the local user has a user account on the remote host. Otherwise, the rsh command returns a Login incorrect error message. When you specify the HostName parameter without a command, the rsh command calls the rlogin command, which logs you into the remote host. Again, for successful login, the local user must have a user account on the remote host.

Flags

-a	Indicates the standard error of the remote command is the same as standard output. No provision is made for sending arbitrary signals to the remote process.
-l User	Specifies that the rsh command should log in to the remote host as the user specified by the User variable instead of the local user name. If this flag is not specified, the local and remote user names are the same.
-n	Specifies that the rsh command should not read from standard input.
-f	Causes the credentials to be forwarded. This flag will be ignored if Kerberos 5 is not the current authentication method. Authentication will fail if the current DCE credentials are not marked forwardable.
-F	Causes the credentials to be forwarded. In addition the credentials on the remote system will be marked forwardable (allowing them to be passed to another remote system). This flag will be ignored if Kerberos 5 is not the current authentication method. Authentication will fail if the current DCE credentials are not marked forwardable.
-k realm	Allows the user to specify the realm of the remote station if it is different from the local systems realm. For these purposes, a realm is synonymous with a DCE cell. This flag will be ignored if Kerberos 5 is not the current authentication method.

Security

The remote host allows access only if at least one of the following conditions is satisfied:

The local user ID is listed as a principal in the authentication database and had performed a kinit to obtain an authentication ticket.
If a $HOME/.klogin file exists, it must be located in the local user's $HOME directory on the target system. The local user must be listed as well as any users or services allowed to rsh into this account. This file performs a similar function to a local .rhosts file. Each line in this file should contain a principal in the form of principal.instance@realm. If the originating user is authenticated as one of the principals named in .klogin, access is granted to the account. The owner of the account is granted access if there is no .klogin file.

For security reasons, any $HOME/.klogin file must be owned by the remote user and only the AIX owner id should have read and write access (permissions = 600) to .klogin.

Exit Status

This command returns the following exit values:

0	Successful completion.
>0	An error occurred.

Examples

In the following examples, the local host, host1, is listed in the /etc/hosts.equiv file at the remote host, host2.

To check the amount of free disk space on a remote host, enter:
```
rsh host2 df
```
The amount of free disk space on host2 is displayed on the local system.
To append a remote file to another file on the remote host, place the >> metacharacters in quotation marks, and enter:
```
rsh host2 cat test1 ">>" test2
```
The file test1 is appended to test2 on remote host host2.
To append a remote file at the remote host to a local file, omit the quotation marks, and enter:
```
rsh host2 cat test2 >> test3
```
The remote file test2 on host2 is appended to the local file test3.
To append a remote file to a local file and use a remote user's permissions at the remote host, enter:
rsh host2 -l jane cat test4 >> test5
The remote file test4 is appended to the local file test5 at the remote host, with user jane's permissions.
This example shows how the root user can issue an rcp on a remote host when the authentication is Kerberos 4 on both the target and server. The root user must be in the authentication database and must have already issued kinit on the local host. The command is issued at the local host to copy the file, stuff, from node r05n07 to node r05n05 on an SP.
```
/usr/lpp/ssp/rcmd/bin/rsh r05n07 'export KRBTKTFILE=/tmp/rcmdtkt$$; \
/usr/lpp/ssp/rcmd/bin/rcmdtgt; \
/usr/lpp/ssp/rcmd/bin/rcp /tmp/stuff r05n05:/tmp/stuff;'
```
The root user sets the KRBTKTFILE environment variable to the name of a temporary ticket-cache file and then obtains a service ticket by issuing the rcmdtgt command. The rcp uses the service ticket to authenticate from host r05n07 to host r05n05.

Files

$HOME/.klogin	Specifies remote users that can use a local user account.
/usr/lpp/ssp/rcmd/bin/rsh	Link to AIX Secure /usr/bin/rsh that calls the SP Kerberos 4 rsh routine if applicable.
/usr/lpp/ssp/rcmd/bin/remsh	Link to AIX Secure /usr/bin/rsh that calls the SP Kerberos 4 rsh routine if applicable.

Prerequisite Information

Refer to the chapter on security in IBM Parallel System Support Programs for AIX: Administration Guide for an overview. You can access this publication at the following Web site: http://www.rs6000.ibm.com/resource/aix_resource

Refer to the "RS/6000 SP Files and Other Technical Information" section of IBM Parallel System Support Programs for AIX: Command and Technical Reference for additional Kerberos information. You can access this publication at the following Web site: http://www.rs6000.ibm.com/resource/aix_resource

Related Information

The ftp command, rcp command, rexec command, rlogin command, telnet, tn, or tn3270 command.

SP Commands: k4init, k4list, k4destroy, lsauthpar, chauthpar, Kerberos

Environment variable: KRBTKFILE

The rshd and krshd daemon.

The kvalid_user function.

The hosts.equiv file format, .rhosts file format.

Network Overview in AIX 5L Version 5.2 System Management Guide: Communications and Networks.

Secure Rcmds in AIX 5L Version 5.2 System User's Guide: Communications and Networks.