Command Reference Manual

rsh (AFS version)

Purpose

Opens a shell on a remote machine

Synopsis

rsh host  [-n]  [-l <username>]  <command>
   
host  [-n]  [-l <username>]    <command>

Description

The AFS-modified rsh program functions like the standard UNIX rsh program, but also passes the issuer's AFS token to the remote machine's Cache Manager, to enable authenticated access to the AFS filespace via that machine.

Token passing is most effective if both the remote machine and local machine belong to the same cell, because the rsh program can pass only one token even if the user has several-- it passes the token that is marked [1] in the output from the tokens command. If the remote and local machine do not belong to the same cell, token [1] must be for the remote machine's cell in order for the remote cell's server processes to recognize the issuer as authenticated.

In addition to running the AFS version of the rsh binary on the machine where the rsh command is issued, other configuration changes are necessary for token passing to work properly. See the Cautions section for a list.

The AFS version of the rsh command is compatible with the standard UNIX inetd command, but token passing only works if the AFS versions of both programs are being used. If only one of them is modified, the issuer will access AFS files through the remote machine as the user anonymous.

Note:

Some operating systems assign an alternate name to this program, such as remsh.

Cautions

The protections required on the .rhosts file for token passing to work correctly with this command are the opposite of those necessary for token creation to work correctly with the AFS version of the rlogind command.

For security's sake, use the AFS version of the rsh command only in conjunction with PAGs, either by using an AFS-modified login utility, issuing the pagsh command before obtaining tokens, or including the -setpag flag to the klog command.

Several configuration requirements and restrictions are necessary for token passing to work correctly with the AFS version of the rsh command. Some of these are also necessary with the standard UNIX version, but are included here because the issuer used to AFS protections may not be inclined to think of them. There are possibly other UNIX-based requirements or restrictions not mentioned here; consult the UNIX manual page for the rsh command. (One important one is that no stty commands can appear in the issuer's shell initialization file, such as the .cshrc file.)

The requirements and restrictions for token passing include the following.

• The local machine must be running the AFS version of the rsh command, with the binary file locally installed to grant setuid privilege to the owner, the local superuser root.

• The remote machine must be running the AFS version of the inetd program.

• If the rsh command is to consult an .rhosts file on the remote machine, the file must have UNIX mode bits no more liberal than -rw-r--r--. If the .rhosts file resides in a user home directory in AFS, the home directory must also grant the l (lookup) and r (read) permissions to the system:anyuser group.

Options

Consult the UNIX manual page for the rsh command.

Privilege Required

None

Related Information

inetd (AFS version)

tokens

UNIX manual page for the rlogind command

UNIX manual page for the rsh command