.\"
.\" @(#)rlogind.8c 6.3 (Berkeley) 5/24/86
.\"
-.TH KRLOGIND 8C "Kerberos Version 5.0" "MIT Project Athena"
+.so man1/header.doc
+.TH KLOGIND 8C \*h
.SH NAME
-krlogind \- remote login server
+klogind \- remote login server
.SH SYNOPSIS
-.B /etc/rlogind
+.B klogind
[
.B \-kr54cpPe
]
.SH DESCRIPTION
-.I Krlogind
+.I Klogind
is the server for the
.IR rlogin (1C)
program. The server is
-based on rlogind(8C) but uses kerberos authentication.
+based on rlogind(8C) but uses Kerberos authentication.
.PP
The
-.I krlogind
-server is invoked by \fIinetd(8c)\fP when it receives a
-connection on the port indicated in /etc/inetd.conf. A typical
-/etc/inetd.conf configuration line for \fIkrlogind\fP might be:
+.I klogind
+server is invoked by \fIinetd(8c)\fP when it receives a connection on
+the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
+configuration line for \fIklogind\fP might be:
-klogin stream tcp nowait root /krb5/sbin/krlogind krlogind -e5c
+klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
When a service request is received, the following protocol is initiated:
login.krb5 or /bin/login, according to the definition of
DO_NOT_USE_K_LOGIN.
.PP
-The configuration of \fIkrlogind\fP is done
+The configuration of \fIklogind\fP is done
by command line arguments passed by inetd. The options are:
.IP \fB\-5\fP 10
-Allow Kerberos5 authentication with the \fI.k5login\fP access control file
-to be trusted. If this authentication system is used by the client and the
-authorization check is passed, then the user is allowed to log in.
+Allow Kerberos V5 authentication with the \fI.k5login\fP access control
+file to be trusted. If this authentication system is used by the client
+and the authorization check is passed, then the user is allowed to log
+in.
.IP \fB\-4\fP
-Allow Kerberos4 authentication with the \fI.klogin\fP access control file
-to be trusted. If this authentication system is used by the client and the
-authorization check is passed, then the user is allowed to log in.
+Allow Kerberos V4 authentication with the \fI.klogin\fP access control
+file to be trusted. If this authentication system is used by the client
+and the authorization check is passed, then the user is allowed to log
+in.
.IP \fB\-k\fP
-Allow Kerberos5 and Kerberos4 as acceptable authentication
+Allow Kerberos V5 and Kerberos V4 as acceptable authentication
mechanisms. This is the same as including \fB\-4\fP and \fB\-5\fP.
.IP \fB\-r\fP
Create an encrypted session.
.IP \fB\-c\fP
-Require Kerberos5 clients to present a cryptographic
-checksum of initial connection information like the name of the user
-that the client is trying to access in the initial authenticator.
-This checksum provides additionl security by preventing an attacker
-from changing the initial connection information. To benefit from
-this security, only Kerberos5 should be trusted; Kerberos4 and rhosts
-authentication do not include this checksum. If this option is
-specified, older Kerberos5 clients that do not send a checksum in the
-authenticator will not be able to authenticate to this server. This
-option is mutually exclusive with the \fB-i\fP option.
+Require Kerberos V5 clients to present a cryptographic checksum of
+initial connection information like the name of the user that the client
+is trying to access in the initial authenticator. This checksum
+provides additionl security by preventing an attacker from changing the
+initial connection information. To benefit from this security, only
+Kerberos V5 should be trusted; Kerberos V4 and rhosts authentication do
+not include this checksum. If this option is specified, older Kerberos
+V5 clients that do not send a checksum in the authenticator will not be
+able to authenticate to this server. This option is mutually exclusive
+with the \fB-i\fP option.
If neither the \fB-c\fP or \fB-i\fP options are specified,then
checksums are validated if presented. Since it is difficult to remove
window size of the terminal is requested from the client, and window
size changes from the client are propagated to the pseudo terminal.
-.PP .I Krlogind supports three options which are used for testing
+.PP
+.I Klogind
+supports three options which are used for testing
purposes:
-.IP \fB\-S\ srvtab\fP 10
-Set the \fIsrvtab\fP file to use.
+.IP \fB\-S\ keytab\fP 10
+Set the \fIkeytab\fP file to use.
.IP \fB\-M\ realm\fP
Set the Kerberos realm to use.
.IP \fB\-L\ login\fP
Set the login program to use. This option only has an effect if
DO_NOT_USE_K_LOGIN was not defined when
-.I krlogind
+.I klogind
was compiled.
.SH DIAGNOSTICS
All diagnostic messages are returned on the connection
.\"
.\" @(#)rshd.8c 6.3 (Berkeley) 5/24/86
.\"
-.TH KRSHD 8C "Kerberos Version 5.0" "MIT Project Athena"
+.so man1/header.doc
+.TH KRSHD 8C \*h
.SH NAME
kshd \- kerberized remote shell server
.SH SYNOPSIS
.PP
\fIKrshd\fP supports four options which may be used for testing:
-.IP \fB\-S\ srvtab\fP 10
-Set the \fIsrvtab\fP file to use.
+.IP \fB\-S\ keytab\fP 10
+Set the \fIkeytab\fP file to use.
.IP \fB\-M\ realm\fP
Set the Kerberos realm to use.
.\" login.1
.\"
-.TH LOGIN 8C "Kerberos Version 5.0" "MIT Project Athena"
+.so man1/header.doc
+.TH LOGIN 8C \*h
.SH NAME
-login \- kerberos enhanced login program
+login.krb5 \- kerberos enhanced login program
.SH SYNOPSIS
-.B /sbin/login.krb5
+.B login.krb5
[
.B \-fF [username]
]
.SH DESCRIPTION
-.I login
-is a modification of the BSD login program which is used for two functions.
-It is the sub-process used by krlogind and telnetd to initiate a user session
-and it is a replacement for the command-line login program which, when
-invoked with a password, acquires Kerberos tickets for the user.
+.I login.krb5
+is a modification of the BSD login program which is used for two
+functions. It is the sub-process used by krlogind and telnetd to
+initiate a user session and it is a replacement for the command-line
+login program which, when invoked with a password, acquires Kerberos
+tickets for the user.
.PP
-.I login
+.I login.krb5
will prompt for a username, or take one on the command line, as
-.I login username
-and will then prompt for a password. This password will be used to acquire
-Kerberos Version 5 tickets and Kerberos Version 4 tickets (if
-possible.) It will also attempt to run
+.I login.krb5 username
+and will then prompt for a password. This password will be used to
+acquire Kerberos Version 5 tickets and Kerberos Version 4 tickets (if
+possible.) It will also attempt to run
.I aklog
to get \fIAFS\fP tokens for the user. The version 5 tickets will be
tested against a local
user in. However, if the password matches the entry in
\fI/etc/passwd\fP the user will be unconditionally allowed (permitting
use of the machine in case of network failure.)
-.PP
-.I login
+.SH OPTIONS
+.TP
+\fB\-r\fP \fIhostname\fP
+pass hostname to rlogind.
+.TP
+\fB\-h\fP \fIhostname\fP
+pass hostname to telnetd, etc.
+.TP
+\fB\-f\fP \fIname\fP
+Perform pre-authenticated login, e.g., datakit, xterm, etc.; does not
+allow preauthenticated login as root.
+.TP
+\fB\-F\fP \fIname\fP
+Perform pre-authenticated login, e.g.,for datakit, xterm, etc.; allows
+preauthenticated login as root.
+.TP
+\fB\-e\fP \fIname\fP
+Perform pre-authenticated, encrypted login. Must do term negotiation.
+.SH CONFIGURATION
+.I login.krb5
is also configured via
.I krb5.conf
using the
-.I \[login\]
+.I login
stanza. A collection of options dealing with initial authentication are
provided:
.IP krb5_get_tickets
.\"
.\" @(#)rcp.1 6.6 (Berkeley) 9/20/88
.\"
-.TH RCP 1 "Kerberos Version 5.0" "MIT Project Athena"
+.so man1/header.doc
+.TH RCP 1 \*h
.SH NAME
rcp \- remote file copy
.SH SYNOPSIS
.B rcp
-[
-.B \-p
-] [
-.B \-x
-] [
-.B \-k
-realm ] [
-.B \-D
-port ] [
-.B \-N
-] file1 file2
-.br
+[\fB\-p\fP] [\fB\-x\fP | \fB\-\-encrypt\fP] [\fB\-k\fP \fIrealm\fP ]
+[\fB\-D\fP \fIport\fP] [\fB\-N\fP]
+.I file1 file2
+.sp
.B rcp
-[
-.B \-p
-] [
-.B \-x
-] [
-.B \-k
-realm ] [
-.B \-r
-] [
-.B \-D
-port ] [
-.B \-N
-] file ... directory
+[\fB\-p\fB] [\fB\-x\fP | \fB\-\-encrypt\fP] [\fP\-k\fP \fIrealm\fP]
+[\fB\-r\fP] [\fB\-D\fP \fIport\fP] [\fB\-N\fP]
+.I file ... directory
.SH DESCRIPTION
-.I Rcp
+.B Rcp
copies files between machines. Each
.I file
or
.I directory
-argument is either a remote file name of the
-form ``rhost:path'', or a local file name (containing no `:' characters,
-or a `/' before any `:'s).
-.PP
-If the
-.B \-r
-option
-is specified and any of the source files are directories,
-.I rcp
-copies each subtree rooted at that name; in this case
-the destination must be a directory.
+argument is either a remote file name of the form ``rhost:path'', or a
+local file name (containing no `:' characters, or a `/' before any
+`:'s).
.PP
By default, the mode and owner of
.I file2
-are preserved if it already existed; otherwise the mode of the source file
-modified by the
+are preserved if it already existed; otherwise the mode of the source
+file modified by the
.IR umask (2)
on the destination host is used.
-The
-.B \-p
-option causes
-.I rcp
-to attempt to preserve (duplicate) in its copies the modification
-times and modes of the source files, ignoring the
-.IR umask .
.PP
If
.I path
-is not a full path name, it is interpreted relative to
-your login directory on
+is not a full path name, it is interpreted relative to your login
+directory on
.IR rhost .
A
.I path
-on a remote host may be quoted (using \e, ", or \(aa)
-so that the metacharacters are interpreted remotely.
+on a remote host may be quoted (using \e, ", or \(aa) so that the
+metacharacters are interpreted remotely.
.PP
-.I Rcp
+.B Rcp
does not prompt for passwords; it uses Kerberos authentication when
connecting to
.IR rhost .
-Each user may have a private authorization list in a file \&.k5login
-in his login directory. Each line in this file should contain a
-Kerberos principal name of the form
+Each user may have a private authorization list in a file \&.k5login in
+his login directory. Each line in this file should contain a Kerberos
+principal name of the form
.IR principal/instance@realm .
If there is a ~/.k5login file, then access is granted to the account if
and only if the originater user is authenticated to one of the
principals named in the ~/.k5login file. Otherwise, the originating
user will be granted access to the account if and only if the
authenticated principal name of the user can be mapped to the local
-account name using the aname -> lname mapping rules (see \fIkrb5_anadd(8)\fP
+account name using the aname -> lname mapping rules (see
+.IR krb5_anadd (8)
for more details).
-.PP
-The
-.B \-x
-option selects encryption of all information transferring between hosts.
-The
-.B \-k
-.I realm
-option causes
-.I rcp
-to obtain tickets for the remote host in
+.SH OPTIONS
+.TP
+.B \-p
+attempt to preserve (duplicate) the modification times and modes of the
+source files in the copies, ignoring the
+.IR umask .
+.TP
+\fB\-x\fP | \fB\-\-encrypt\fP
+encrypt all information transferring between hosts.
+.TP
+\fB\-k\fP \fIrealm\fP
+obtain tickets for the remote host in
.I realm
instead of the remote host's realm as determined by
.IR krb_realmofhost (3).
-.PP
-The
-.B \-D
-option specifies the port to connect to on the remote machine. The
+.TP
+.B \-r
+if any of the source files are directories, copy each subtree rooted at
+that name; in this case the destination must be a directory.
+.TP
+\fB\-D\fP \fIport\fP
+connect to port
+.I port
+on the remote machine.
+.TP
.B \-N
-option tells rcp to use a network connection even when copying files
-on the local machine. These options are used for testing purposes.
+use a network connection, even when copying files on the local machine
+(used for testing purposes).
.PP
-.I Rcp
-handles third party copies, where neither source nor target files
-are on the current machine.
-Hostnames may also take the form ``rname@rhost'' to use
+.B Rcp
+handles third party copies, where neither source nor target files are on
+the current machine. Hostnames may also take the form ``rname@rhost''
+to use
.I rname
rather than the current user name on the remote host.
+.SH CONFIGURATION
+The following defaults may be specified in the [appdefaults] or [realms]
+section of the
+.IR krb5.conf (5)
+file:
+.TP "\w'.B encrypt\ \ 'u"
+.B encrypt
+Whether or not to encrypt the data stream. Takes a boolean argument.
+.PP
+For example:
+.sp
+.nf
+.in +1i
+[appdefaults]
+ rcp = {
+ encrypt = true
+ }
+[realms]
+ FUBAR.ORG = {
+ rcp = {
+ encrypt = false
+ }
+ }
+.in -1i
+.fi
+.sp
+.SH FILES
+.TP "\w'/etc/krb5.conf\ \ 'u"
+/etc/krb5.conf
+file containing local host's Kerberos V5 configuration information
+.sp -1v
+.TP
+~/.k5login
+(on remote host) - file containing Kerberos principals that are allowed
+access.
.SH SEE ALSO
cp(1), ftp(1), rsh(1), rlogin(1), kerberos(3), krb_getrealm(3),
-rcp(1) [UCB version]
+krb5.conf(5), rcp(1) [UCB version]
.SH BUGS
-Doesn't detect all cases where the target of a copy might
-be a file in cases where only a directory should be legal.
+.B Rcp
+doesn't detect all cases where the target of a copy might be a file in
+cases where only a directory should be legal.
.PP
-Is confused by any output generated by commands in a
-\&.login, \&.profile, or \&.cshrc file on the remote host.
+.B Rcp
+is confused by any output generated by commands in a \&.login,
+\&.profile, or \&.cshrc file on the remote host.
.PP
Kerberos is only used for the first connection of a third-party copy;
the second connection uses the standard Berkeley rcp protocol.
-
.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.\" @(#)rlogin.1 6.9 (Berkeley) 9/19/88
-.\"
-.TH RLOGIN 1 "Kerberos Version 5.0" "MIT Project Athena"
+.\" "
+.so man1/header.doc
+.TH RLOGIN 1 \*h
.SH NAME
rlogin \- remote login
.SH SYNOPSIS
.B rlogin
-rhost [
-\fB\-e\fR\fI\|c\fR
-] [
-.B \-8
-] [
-.B \-c
-] [
-.B \-a
-] [
-.B \-f
-] [
-.B \-F
-] [
-.B \-t
-termtype ] [
-.B \-n
-] [
-.B \-7
-] [
-.B \-d
-] [
-.B \-k
-realm ] [
-.B \-x
-] [
-.B \-noflow
-] [
-.B \-L
-] [
-.B \-l
-username ]
+.I rhost
+[\fB\-e\fP\fI\|c\fP] [\fB\-8\fP] [\fB\-c\fP] [ \fB\-a\fP] [\fB\-f\fP |
+\fB\-\-forward\fP] [\fB\-\-noforward\fP] [\fB\-F\fP |
+\fB\-\-forwardable\fP] [\fB\-\-noforwardable\fP] [\fB\-t\fP
+\fItermtype\fP] [\fB\-n\fP] [\fB\-7\fP] [\fB\-d\fP] [\fB\-k\fP
+\fIrealm\fP] [\fB\-x\fP | \fB\-\-encrypt\fP] [\fB\-\-noencrypt\fP]
+[\fB\-\-noflow\fP] [\fB\-L\fP] [\fB\-l\fP \fIusername\fP]
.PP
.SH DESCRIPTION
.I Rlogin
mechanism, it uses Kerberos authentication to determine the
authorization to use a remote account.
.PP
-Each user may have a private authorization list in a file \&.k5login
-in his login directory. Each line in this file should contain a
-Kerberos principal name of the form
+Each user may have a private authorization list in a file \&.k5login in
+his login directory. Each line in this file should contain a Kerberos
+principal name of the form
.IR principal/instance@realm .
If the originating user is authenticated to one of the principals named
in \&.k5login, access is granted to the account. If there is no
-/.k5login file, the principal will be granted access
-to the account according to the aname\->lname mapping rules (see
+/.k5login file, the principal will be granted access to the account
+according to the aname\->lname mapping rules. (See
.IR krb5_anadd(8)
-for more details)
-Otherwise
-a login and password will be prompted for on the remote machine as in
+for more details.) Otherwise a login and password will be prompted for
+on the remote machine as in
.IR login (1).
To avoid some security problems, the \&.k5login file must be owned by
the remote user.
information, an error message is printed and the standard UCB rlogin is
executed in place of the Kerberos rlogin.
.PP
-A line of the form ``~.'' disconnects from the remote host, where
-``~'' is the escape character.
-Similarly, the line ``~^Z'' (where ^Z, control-Z, is the suspend character)
-will suspend the rlogin session.
-Substitution of the delayed-suspend character (normally ^Y)
-for the suspend character suspends the send portion of the rlogin,
-but allows output from the remote system.
+A line of the form ``~.'' disconnects from the remote host, where ``~''
+is the escape character. Similarly, the line ``~^Z'' (where ^Z,
+control-Z, is the suspend character) will suspend the rlogin session.
+Substitution of the delayed-suspend character (normally ^Y) for the
+suspend character suspends the send portion of the rlogin, but allows
+output from the remote system.
.PP
-The remote terminal type is the same as your local
-terminal type (as given in your environment TERM variable), unless the
+The remote terminal type is the same as your local terminal type (as
+given in your environment TERM variable), unless the
.B \-t
-option is specified (see below).
-The terminal or window size is also copied to the remote system
-if the server supports the option,
-and changes in size are reflected as well.
-.PP
-All echoing takes place at the remote site, so that (except for
-delays) the rlogin is transparent. Flow control via ^S and ^Q and
-flushing of input and output on interrupts are handled properly.
-.PP
-The
+option is specified (see below). The terminal or window size is also
+copied to the remote system if the server supports the option, and
+changes in size are reflected as well.
+.PP
+All echoing takes place at the remote site, so that (except for delays)
+the rlogin is transparent. Flow control via ^S and ^Q and flushing of
+input and output on interrupts are handled properly.
+.SH OPTIONS
+.TP
.B \-8
-option allows an eight-bit input data path at all times;
-otherwise parity bits are stripped except when the remote side's
-stop and start characters are other than ^S/^Q. Eight-bit mode is the default.
-.PP
-The
+allows an eight-bit input data path at all times; otherwise parity bits
+are stripped except when the remote side's stop and start characters are
+other than ^S/^Q. Eight-bit mode is the default.
+.TP
.B \-L
-option allows the rlogin session to be run in litout mode.
-.PP
-The
-.B \-e
-option allows specification of a different escape character.
+allows the rlogin session to be run in litout mode.
+.TP
+\fB\-e\fP\fIc\fP
+sets the escape character to
+.IR c .
There is no space separating this option flag and the new escape
character.
-.PP
-The
+.TP
.B \-c
-option requires confirmation before disconnecting via ``~.''
-.PP
-The
+require confirmation before disconnecting via ``~.''
+.TP
.B \-a
-option forces the remote machine to ask for a password by sending a null local
+force the remote machine to ask for a password by sending a null local
username. This option has no effect unless the standard UCB rlogin is
executed in place of the Kerberos rlogin (see above).
-.PP
-The
-.B \-f
-option forwards the local credentials to the remote system
-but marks the remote credentials as Non-forwardable.
-.PP
-The
-.B \-F
-option forwards the local credentials to the remote system
-and marks the remote credentials as Forwardable.
-.PP
-The
-.B \-t
-option replaces the terminal type passed to the remote host with
-\fItermtype\fP.
-.PP
-The
+.TP
+\fB\-f\fP | \fB\-\-forward\fP
+forward a copy of the local credentials to the remote system.
+.TP
+.B \-\-noforward
+disables ticket forwarding. This is useful for overriding the
+application defaults in the host's
+.IR krb5.conf (5)
+file.
+.TP
+\fB\-F\fP | \fB\-\-forwardable\fP
+forward a
+.I forwardable
+copy of the local credentials to the remote system.
+.TP
+.B \-\-noforwardable
+makes any forwarded tickets non-forwardable. This is useful for
+overriding the application defaults in the host's
+.IR krb5.conf (5)
+file.
+.TP
+\fB\-t\fP \fItermtype\fP
+replace the terminal type passed to the remote host with
+.IR termtype .
+.TP
.B \-n
-option prevents suspension of rlogin via ``~^Z'' or ``~^Y''.
-.PP
-The
+prevent suspension of rlogin via ``~^Z'' or ``~^Y''.
+.TP
.B \-7
-option forces seven-bit transmissions.
-.PP
-The
+force seven-bit transmissions.
+.TP
.B \-d
-option turns on socket debugging (via \fIsetsockopt(2)\fR) on the TCP
-sockets used for communication with the remote host.
-.PP
-The
-.B \-noflow
-option forces transmission of flow control characters (^S/^Q) to the
-remote system.
-.PP
-The
+turn on socket debugging (via
+.IR setsockopt (2))
+on the TCP sockets used for communication with the remote host.
+.TP
+.B \-\-noflow
+force transmission of flow control characters (^S/^Q) to the remote
+system.
+.TP
.B \-k
-option requests rlogin to obtain tickets for the remote host in realm
+request rlogin to obtain tickets for the remote host in realm
.I realm
instead of the remote host's realm as determined by
.IR krb_realmofhost (3).
-.PP
-The
-.B \-x
-option turns on DES encryption for all data passed via the
-rlogin session. This significantly reduces response time and
-significantly increases CPU utilization.
+.TP
+\fB\-x\fP | \fB\-\-encrypt\fP
+turn on DES encryption for all data passed via the rlogin session. This
+significantly reduces response time and significantly increases CPU
+utilization.
+.TP
+.B \-\-noencrypt
+disables encryption. This is useful for overriding the application
+defaults in the host's
+.IR krb5.conf (5)
+file.
+.SH CONFIGURATION
+The following defaults may be specified in the [appdefaults] or [realms]
+section of the
+.IR krb5.conf (5)
+file:
+.TP "\w'.B forwardable\ \ 'u"
+.B forwardable
+Whether or not any forwarded tickets should be forwardable. Takes a
+boolean argument.
+.TP
+.B forward
+Whether or not to forward tickets to the remote host. Takes a boolean
+argument.
+.TP
+.B encrypt
+Whether or not to encrypt the data stream. Takes a boolean argument.
+.PP
+For example:
+.sp
+.nf
+.in +1i
+[appdefaults]
+ rlogin = {
+ forwardable = true
+ forward = true
+ encrypt = true
+ }
+[realms]
+ FUBAR.ORG = {
+ rlogin = {
+ forward = false
+ }
+ }
+.in -1i
+.fi
+.sp
.SH SEE ALSO
rsh(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3),
-rlogin(1) [UCB version]
+krb5.conf(5), rlogin(1) [UCB version]
.SH FILES
-\&.k5login in the user's home directory
+.TP "\w'/etc/krb5.conf\ \ 'u"
+/etc/krb5.conf
+file containing local host's Kerberos V5 configuration information
+.sp -1v
+.TP
+~/\&.k5login
+(on remote host) - file containing Kerberos principals that are allowed
+access.
.SH BUGS
More of the environment should be propagated.
.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.\" @(#)rsh.1 6.2 (Berkeley) 9/20/88
-.\"
-.TH RSH 1 "Kerberos Version 5.0" "MIT Project Athena"
+.\" "
+.so man1/header.doc
+.TH RSH 1 \*h
.SH NAME
rsh \- remote shell
.SH SYNOPSIS
.B rsh
-host
-[
-.B \-l
-username
-] [
-.B \-n
-] [
-.B \-d
-] [
-.B \-k
-realm ] [
-.B \-f | \-F
-] [
-.B \-x
-] [
-.B \-A
-] command
+.I host
+[\fB\-l\fP \fIusername\fP] [\fB\-n\fP] [\fB\-d\fP] [\fB\-k\fP
+\fIrealm\fP] [\fB\-f\fP | \fB\-\-forward\fP | \fB\-F\fP |
+\fB\-\-forwardable\fP] [\fB\-\-noforward\fP] [\fB\-\-noforwardable\fP]
+[\fB\-x\fP | \fB\-\-encrypt\fP] [\fB\-\-noencrypt\fP] [\fB\-\-noflow\fP]
+.I command
.SH DESCRIPTION
-.I Rsh
+.B Rsh
connects to the specified
.I host,
and executes the specified \fIcommand\fR.
-.I Rsh
-copies its standard input to the remote command, the standard
-output of the remote command to its standard output, and the
-standard error of the remote command to its standard error.
-Interrupt, quit and terminate signals are propagated to the remote
-command; \fIrsh\fP normally terminates when the remote command does.
-.PP
-The remote username used is the same as your local username,
-unless you specify a different remote name with the
-.B \-l
-option.
+.B Rsh
+copies its standard input to the remote command, the standard output of
+the remote command to its standard output, and the standard error of the
+remote command to its standard error. This implementation of
+.B rsh
+will accept any port for the standard error stream. Interrupt, quit and
+terminate signals are propagated to the remote command; \fIrsh\fP
+normally terminates when the remote command does.
.PP
-Each user may have a private authorization list in a file \&.k5login
-in his login directory. Each line in this file should contain a
-Kerberos principal name of the form
+Each user may have a private authorization list in a file \&.k5login in
+his login directory. Each line in this file should contain a Kerberos
+principal name of the form
.IR principal/instance@realm .
If there is a ~/.k5login file, then access is granted to the account if
and only if the originater user is authenticated to one of the
princiapls named in the ~/.k5login file. Otherwise, the originating
user will be granted access to the account if and only if the
authenticated principal name of the user can be mapped to the local
-account name using the aname -> lname mapping rules (see \fIkrb5_anadd(8)\fP
+account name using the aname -> lname mapping rules (see
+.IR krb5_anadd (8)
for more details).
-.PP
-The
-.B \-x
-option causes the network session traffic to be encrypted.
-.PP
+.SH OPTIONS
+.TP
+\fB\-l\fP \fIusername\fP
+sets the remote username to
+.IR username .
+Otherwise, the remote username will be the same as the local username.
+.TP
+\fB\-x\fP | \fB\-\-encrypt\fP
+causes the network session traffic to be encrypted.
+.TP
+.B \-\-noencrypt
+disables encryption. This is useful for overriding the application
+defaults in the host's
+.IR krb5.conf (5)
+file.
+.TP
+\fB\-f\fP | \fB\-\-forward\fP
The
.B \-f
and
+.B \-\-forward
+options cause Kerberos credentials to be forwarded to the remote machine
+for use by the specified
+.IR command .
+They will be removed when
+.I command
+finishes. This option is mutually exclusive with the
.B \-F
-options cause Kerberos credentials to be forwarded to the remote machine for
-use by the specified \fIcommand\fR. They will be removed when \fIcommand\fR
-finishes. If
-.B \-F
-is used, the forwarded credentials are themselves forwardable to other
-machines.
-.PP
+or
+.B \-\-forwardable
+options.
+.TP
+\fB\-F\fP | \fB\-\-forwardable\fP
The
-.B \-k
-\fIrealm\fP option causes
+.B \-F
+and
+.B \-\-forwardable
+options cause
+.I forwardable
+Kerberos credentials to be forwarded to the remote machine for use by
+the specified
+.IR command .
+They will be removed when
+.I command
+finishes. This option is mutually exclusive with the
+.B \-f
+or
+.B \-\-forward
+options.
+.TP
+.B \-\-noforward
+disables ticket forwarding. This is useful for overriding the
+application defaults in the host's
+.IR krb5.conf (5)
+file.
+.TP
+.B \-\-noforwardable
+makes any forwarded tickets non-forwardable. This is useful for
+overriding the application defaults in the host's
+.IR krb5.conf (5)
+file.
+.TP
+\fB\-k\fP\fIrealm\fP
+causes
.I rsh
to obtain tickets for the remote host in
.I realm
instead of the remote host's realm as determined by
.IR krb_realmofhost (3).
-.PP
-The
+.TP
.B \-d
-option turns on socket debugging (via \fIsetsockopt(2)\fR) on the TCP
-sockets used for communication with the remote host.
-.PP
-The
+turns on socket debugging (via
+.IR setsockopt (2))
+on the TCP sockets used for communication with the remote host.
+.TP
.B \-n
-option redirects input from the special device
+redirects input from the special device
.I /dev/null
(see the BUGS section below).
-.PP
-The
-.B \-A
-option accepts any port number for the stderr stream. Normally
-.I rsh
-requires a reserved port number. This option is used for debugging.
+.TP
+.B \-\-noflow
+If
+.B rsh
+causes you to be logged into the remote host using
+.IR rlogin (1),
+this option passes the \-\-noflow option to
+.IR rlogin .
.PP
If you omit
-.I command,
-then instead of executing a single command, you will be logged in
-on the remote host using
+.IR command ,
+then instead of executing a single command, you will be logged in on the
+remote host using
.IR rlogin (1).
.PP
-Shell metacharacters which are not quoted are interpreted
-on local machine, while quoted metacharacters are interpreted on
-the remote machine.
-Thus the command
+Shell metacharacters which are not quoted are interpreted on the local
+machine, while quoted metacharacters are interpreted on the remote
+machine. Thus the command
.PP
\ \ \ rsh otherhost cat remotefile >> localfile
.PP
appends the remote file
.I remotefile
to the local file
-.I localfile,
+.IR localfile ,
while
.PP
\ \ \ rsh otherhost cat remotefile ">>" otherremotefile
appends
.I remotefile
to
-.I otherremotefile.
+.IR otherremotefile .
+.SH CONFIGURATION
+The following defaults may be specified in the [appdefaults] or [realms]
+section of the
+.IR krb5.conf (5)
+file:
+.TP "\w'.B forwardable\ \ 'u"
+.B forwardable
+Whether or not any forwarded tickets should be forwardable. Takes a
+boolean argument.
+.TP
+.B forward
+Whether or not to forward tickets to the remote host. Takes a boolean
+argument.
+.TP
+.B encrypt
+Whether or not to encrypt the data stream. Takes a boolean argument.
+.PP
+For example:
+.sp
+.nf
+.in +1i
+[appdefaults]
+ rsh = {
+ forwardable = true
+ forward = true
+ encrypt = true
+ }
+[realms]
+ FUBAR.ORG = {
+ rsh = {
+ forward = false
+ }
+ }
+.in -1i
+.fi
+.sp
.SH FILES
-.ta 2i
+.TP "\w'/etc/krb5.conf\ \ 'u"
/etc/hosts
-.br
-\&.k5login in the user's home directory
-.DT
+.sp -1v
+.TP
+/etc/krb5.conf
+file containing local host's Kerberos V5 configuration information
+.sp -1v
+.TP
+~/\&.k5login
+(on remote host) - file containing Kerberos principals that are allowed
+access.
.SH SEE ALSO
-rlogin(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3)
+rlogin(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3),
+krb5.conf(5)
.SH BUGS
If you are using
.IR csh (1)
and put a
.IR rsh (1)
-in the background without redirecting its input
-away from the terminal, it will block even if no reads
-are posted by the remote command. If no input is desired
-you should redirect the input of
+in the background without redirecting its input away from the terminal,
+it will block even if no reads are posted by the remote command. If no
+input is desired you should redirect the input of
.I rsh
to /dev/null using the
.B \-n
option.
.PP
-You cannot run an interactive command
-(like
+You cannot run an interactive command (like
.IR rogue (6)
or
.IR vi (1));
.IR rlogin (1).
.PP
Stop signals stop the local \fIrsh\fP process only; this is arguably
-wrong, but currently hard to fix for reasons too complicated to
-explain here.
+wrong, but currently hard to fix for reasons too complicated to explain
+here.
projects / krb5.git / commitdiff