rsh or remsh Command

Purpose

Executes the specified command at the remote host or logs in to the remote host.

Syntax

{ rsh | remsh } RemoteHost [ -n ] [ -l User ] [ -f | -F ] [ -k realm ] [ -S ] [ -u ] [ Command ]

Description

The /usr/bin/rsh command executes the command specified by the Command parameter at the remote host specified by the RemoteHost parameter; if the Command parameter is not specified, the rsh command logs into the remote host specified by the RemoteHost parameter. The rsh command sends standard input from the local command line to the remote command and receives standard output and standard error from the remote command.

Note: Because any input to the remote command must be specified on the local command line, you cannot use the rsh command to execute an interactive command on a remote host. If you need to execute an interactive command on a remote host, use either the rlogin command or the rsh command without specifying the Command parameter. If you do not specify the Command parameter, the rsh command executes the rlogin command instead.

Access Files

If you do not specify the -l flag, the local user name is used at the remote host. If -l User is entered, the specified user name is used at the remote host.

Using Standard Authentication

The remote host allows access only if at least one of the following conditions is satisfied:

The local user ID is not the root user, and the name of the local host is listed as an equivalent host in the remote /etc/hosts.equiv file.
If either the local user ID is the root user or the check of /etc/hosts.equiv is unsuccessful, the remote user's home directory must contain a $HOME/.rhosts file that lists the local host and user name.

Although you can set any permissions for the $HOME/.rhosts file, it is recommended that the permissions of the .rhosts file be set to 600 (read and write by owner only).

In addition to the preceding conditions, the rsh command also allows access to the remote host if the remote user account does not have a password defined. However, for security reasons, use of a password on all user accounts is recommended.

For Kerberos 5 Authentication

The remote host allows access only if all of the following conditions are satisfied:

The local user has current DCE credentials.
The local and remote systems are configured for Kerberos 5 authentication (On some remote systems, this method is not necessary. It is necessary that a daemon is listening to the klogin port).
The remote system accepts the DCE credentials as sufficient for access to the remote account. See the kvalid_user function for more information.

Remote Command Execution

When the remote command is run, pressing the Interrupt, Terminate, or Quit key sequences sends the corresponding signal to the remote process. However, pressing the Stop key sequence stops only the local process. Usually, when the remote command terminates, the local rsh process terminates.

To have shell metacharacters interpreted on the remote host, place the metacharacters inside " " (double quotation marks). Otherwise, the metacharacters are interpreted by the local shell.

When using the rsh command, you can create a link to a path (to which you have permission to write), by using a host name that is specified by the HostName parameter as the link name. For example:

ln -s /usr/bin/rsh HostName

After the link is established, you can specify the HostName parameter and a command that is specified by the Command parameter from the command line. The rsh command remotely runs the command on the remote host. The syntax is:

HostName Command

For example, if you are linked to remote host opus and want to run the date command, enter:

opus date

Because you can not specify the -l User flag, the remote command is successful only if the local user has a user account on the remote host. Otherwise, the rsh command returns a Login incorrect error message. When you specify the HostName parameter without a command, the rsh command calls the rlogin command, which logs you into the remote host. Again, for successful login, the local user must have a user account on the remote host.

Flags

-a: Indicates that the standard error of the remote command is the same as standard output. No provision is made for sending arbitrary signals to the remote process.

-f: Causes the credentials to be forwarded. This flag is ignored if Kerberos 5 is not the current authentication method. Authentication fails if the current DCE credentials are not marked forwardable.

-F: Causes the credentials to be forwarded. In addition the credentials on the remote system is marked forwardable (allowing them to be passed to another remote system). This flag is ignored if Kerberos 5 is not the current authentication method. Authentication fails if the current DCE credentials are not marked forwardable.

-k realm: Allows the user to specify the realm of the remote station if it is different from the local systems realm. For these purposes, a realm is synonymous with a DCE cell. This flag is ignored if Kerberos 5 is not the current authentication method.

-l User: Specifies that the rsh command must log in to the remote host as the user specified by the User variable instead of the local user name. If this flag is not specified, the local and remote user names are the same.

-n: Specifies that the rsh command must not read from standard input.

-S: Secure option, force remote IP address of the standard error connection to be the same as the standard output connection.

-u: Use standard AIX® authentication only.

Exit Status

This command returns the following exit values:

0: Successful completion.

>0: An error occurred.

Security

The remote host allows access only if at least one of the following conditions is satisfied:

The local user ID is listed as a principal in the authentication database and had performed a kinit to obtain an authentication ticket.
If a $HOME/.klogin file exists, it must be in the local user's $HOME directory on the target system. The local user and any user must be listed or the services that are allowed to the rsh command is considered. This file performs a similar function to a local .rhosts file. Each line in this file must contain a principal in the form of principal.instance@realm. If the originating user is authenticated as one of the principals that are named in the .klogin file, access is granted to the account. The owner of the account is granted access if the .klogin file is not present.

For security reasons, any $HOME/.klogin file must be owned by the remote user and only the AIX owner ID has read and write access (permissions = 600) to the .klogin file.

Attention RBAC users and Trusted AIX users: This command can run privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations that are associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

In the following examples, the local host, host1, is listed in the /etc/hosts.equiv file at the remote host, host2.

To check the amount of free disk space on a remote host, enter:
```
rsh host2 df
```
The amount of free disk space on host2 is displayed on the local system.
To append a remote file to another file on the remote host, place the >> metacharacters in quotation marks, and enter:
```
rsh host2 cat test1 ">>" test2
```
The file test1 is appended to test2 on remote host host2.
To append a remote file at the remote host to a local file, omit the quotation marks, and enter:
```
rsh host2 cat test2 >> test3
```
The remote file test2 on host2 is appended to the local file test3.
To append a remote file to a local file and use a remote user's permissions at the remote host, enter:
rsh host2 -l jane cat test4 >> test5
The remote file test4 is appended to the local file test5 at the remote host, with user jane's permissions.
This example shows how the root user can issue an rcp on a remote host when the authentication is Kerberos 4 on both the target and server. The root user must be in the authentication database and must have already issued kinit on the local host. The command is issued at the local host to copy the file, stuff, from node r05n07 to node r05n05 on an SP.
```
/usr/lpp/ssp/rcmd/bin/rsh r05n07 'export KRBTKTFILE=/tmp/rcmdtkt$$; \
/usr/lpp/ssp/rcmd/bin/rcmdtgt; \
/usr/lpp/ssp/rcmd/bin/rcp /tmp/stuff r05n05:/tmp/stuff;'
```
The root user sets the KRBTKTFILE environment variable to the name of a temporary ticket-cache file and then obtains a service ticket by issuing the rcmdtgt command. The rcp uses the service ticket to authenticate from host r05n07 to host r05n05.

Files

Item	Description
$HOME/.klogin	Specifies remote users that can use a local user account.
/usr/lpp/ssp/rcmd/bin/rsh	Link to AIX Secure /usr/bin/rsh that calls the SP Kerberos 4 rsh routine if applicable.
/usr/lpp/ssp/rcmd/bin/remsh	Link to AIX Secure /usr/bin/rsh that calls the SP Kerberos 4 rsh routine if applicable.

Prerequisite Information

Refer to the chapter on security in IBM® Parallel System Support Programs for AIX: Administration Guide for an overview. You can access this publication at the following Web site: http://www.rs6000.ibm.com/resource/aix_resource

Refer to the "RS/6000® SP Files and Other Technical Information" section of IBM Parallel System Support Programs for AIX: Command and Technical Reference for additional Kerberos information. You can access this publication at the following Web site: http://www.rs6000.ibm.com/resource/aix_resource