HPlogo HP-UX Reference Volume 1 of 5 > r

remsh(1)

Kerberos
» 

Technical documentation

Complete book in PDF

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

remsh, rexec — execute from a remote shell

SYNOPSIS

remsh host [-l username] [-f/F] [-k realm] [-P] [-n] command host [-l username] [-f/F] [-k realm] [-P] [-n] command

rexec host [-l username] [-n] command

DESCRIPTION

remsh connects to the specified host and executes the specified command. The host name can be either the official name or an alias as understood by gethostbyname() (see gethostent(3N) and hosts(4)). remsh copies its standard input (stdin) to the remote command, and the standard output of the remote command to its standard output (stdout), and the standard error of the remote command to its standard error (stderr). Hangup, interrupt, quit, terminate, and broken pipe signals are propagated to the remote command. remsh exits when the sockets associated with stdout and stderr of the remote command are closed. This means that remsh normally terminates when the remote command does (see remshd(1M)).

By default, remsh uses the following path when executing the specified command:

/usr/bin:/usr/ccs/bin:/usr/bin/X11:/usr/contrib/bin:/usr/local/bin

remsh uses the default remote login shell with the -c option to execute the remote command. If the default remote shell is csh, csh sources the remote .cshrc file before the command. remsh cannot be used to run commands that require a terminal interface (such as vi) or commands that read their standard error (such as more). In such cases, use rlogin or telnet instead (see rlogin(1) and telnet(1)).

The remote account name used is the same as your local account name, unless you specify a different remote name with the -l option. In addition, the remote host account name must also conform to other rules which differ depending upon whether the remote host is operating in a Kerberos V5 Network Authentication, i.e., secure environment or not. In a non-secure, or traditional environment, the remote account name must be equivalent to the originating account; no provision is made for specifying a password with a command. For more details about equivalent hosts and how to specify them, see hosts.equiv(4). The files inspected by remshd on the remote host are /etc/hosts.equiv and $HOME/.rhosts (see remshd(1M)).

In a Kerberos V5 Network Authentication environment, the local host must be successfully authenticated before the remote account name is checked for proper authorization. The authorization mechanism is dependent on the command line options used to invoke remshd on the remote host (i.e., -K, -R, -r, or -k). For further information on Kerberos authentication and authorization see the Secure Internet Services man page, sis(5) and remshd(1M).

Although Kerberos authentication and authorization may apply, the Kerberos mechanism is not applied to the command or to its response. All information transferred between the local and remote host is still sent in cleartext over the network.

In a secure or Kerberos V5-based environment, the following command line options are available:

-f

Forward the ticket granting ticket (TGT) to the remote system. The TGT is not forwardable from there.

-F

Forward the TGT to the remote system and have it forwardable from there to another remote system. -f and -F are mutually exclusive.

-k realm

Obtain tickets from the remote host in the specified realm instead of the remote host's default realm as specified in the configuration file krb.realms.

-P

Disable Kerberos authentication.

If a command is not specified, instead of executing a single command, you will be logged in on the remote host using rlogin (see rlogin(1)). Any rlogin options typed in on the command line are transmitted to rlogin. If no command and the option -P is specified, rlogin will be invoked with -P to indicate that Kerberos authentication (or secure access) is not required. This will mean that if a password is requested, the password will be sent in cleartext. If a command is specified, options specific to rlogin are ignored by remsh.

If a command and the option -n are specified, then standard input is redirected to remsh by /dev/null. If -n is not specified (the default case), remsh reads its standard input and sends the input to the remote command. This is because remsh has no way to determine whether the remote command requires input. This option is useful when running a shell script containing a remsh command, since otherwise remsh may use input not intended for it. The -n option is also useful when running remsh in the background from a job control shell, /usr/bin/csh or /usr/bin/ksh. Otherwise, remsh stops and waits for input from the terminal keyboard for the remote command. /usr/bin/sh automatically redirects its input from /dev/null when jobs are run in the background.

Host names for remote hosts can also be commands (linked to remsh) in the directory /usr/hosts. If this directory is specified in the $PATH environment variable, you can omit remsh. For example, if remotehost is the name of a remote host, /usr/hosts/remotehost is linked to remsh, and if /usr/hosts is in your search path, the command

remotehost command

executes command on remotehost, and the command

remotehost

is equivalent to

rlogin remotehost

The rexec command works the same as remsh except that it uses the rexec() library routine and rexecd for command execution (see rexec(3N) and rexecd(1M)) and does not support Kerberos authentication. rexec prompts for a password before executing the command instead of using hosts.equiv for authentication. It should be used in instances where a password to a remote account is known but there are insufficient permissions for remsh.

EXAMPLES

Shell metacharacters that are not quoted are interpreted on the local host; quoted metacharacters are interpreted on the remote host. Thus the command line:

remsh otherhost cat remotefile >> localfile

appends the remote file remotefile to the local file localfile, while the command line

remsh otherhost cat remotefile ">>" otherremotefile

appends remotefile to the remote file otherremotefile.

If the remote shell is /usr/bin/sh, the following command line sets up the environment for the remote command before executing the remote command:

remsh otherhost . .profile 2>&- \; command

The 2>&- throws away error messages generated by executing .profile when stdin and stdout are not a terminal.

The following command line runs remsh in the background on the local system, and the output of the remote command comes to your terminal asynchronously:

remsh otherhost -n command &

The background remsh completes when the remote command does.

The following command line causes remsh to return immediately without waiting for the remote command to complete:

remsh otherhost -n "command 1>&- 2>&- &"

(See remshd(1M) and sh(1)). If your login shell on the remote system is csh, use the following form instead:

remsh otherhost -n "sh -c \"command 1>&- 2>&- &\""

RETURN VALUE

If remsh fails to set up the secondary socket connection, it returns 2. If it fails in some other way, it returns 1. If it fully succeeds in setting up a connection with remshd, it returns 0 once the remote command has completed. Note that the return value of remsh bears no relation to the return value of the remote command.

DIAGNOSTICS

Besides the errors listed below, errors can also be generated by the library functions rcmd() and rresvport() which are used by remsh (see rcmd(3N)). Those errors are preceded by the name of the library function that generated them. remsh can produce the following diagnostic messages:

Error! could not retrieve authentication type.

Please notify sys admin.

There are two authentication mechanisms used by remsh. One authentication mechanism is based on Kerberos and the other is not. The type of authentication mechanism is obtained from a system file which is updated by inetsvcs_sec (see inetsvcs_sec(1M)). If the system file does not contain known authentication types, the above error is displayed.

rlogin: ...

Error in executing rlogin (rlogin is executed when the user does not specify any commands to be executed). This is followed by the error message specifying why the execution failed.

shell/tcp: Unknown service

The ``shell'' service specification is not present in the /etc/services file.

Can't establish stderr

remsh cannot establish secondary socket connection for stderr.

<system call>: ...

Error in executing system call. Appended to this error is a message specifying the cause of the failure.

There is no entry for you (user ID uid) in /etc/passwd

Check with the system administrator to see if your entry in the password file has been deleted by mistake.

rcmd: connect: <hostname>: Connection refused

One cause for display of this generic error message could be due to the absence of an entry for shell in /etc/inetd.conf on the remote system. This entry may have been removed or commented out to prevent non-secure access.

Kerberos-specific errors are listed in sis(5).

WARNINGS

For security reasons, the /etc/hosts.equiv and .rhosts files should exist, even if empty, and should be readable and writable only by the owner.

If remsh is run with an interactive command it hangs.

DEPENDENCIES

remsh is the same service as rsh on BSD systems. The name was changed due to a conflict with the existing System V command rsh (restricted shell).

AUTHOR

remsh was developed by the University of California, Berkeley.

FILES

/usr/hosts/*

for version of the command invoked only with hostname

SEE ALSO

rlogin(1), remshd(1M), rexecd(1M), inetsvcs_sec(1M), gethostent(3N), rcmd(3N), rexec(3N), hosts.equiv(4), hosts(4), sis(5).



remsh
  		 


rev  
© Hewlett-Packard Development Company, L.P.