From: Jeff Bigler Date: Thu, 29 Aug 1996 20:32:55 +0000 (+0000) Subject: man page rewrites/tweaks/edits from Cygnus X-Git-Tag: krb5-1.0-beta7~85 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=6486768298fa15aa6b6cc28f6dd4dc2ed77c5e82;p=krb5.git man page rewrites/tweaks/edits from Cygnus git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9003 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/appl/bsd/klogind.M b/src/appl/bsd/klogind.M index 8322e7be9..e48bc91f8 100644 --- a/src/appl/bsd/klogind.M +++ b/src/appl/bsd/klogind.M @@ -4,28 +4,29 @@ .\" .\" @(#)rlogind.8c 6.3 (Berkeley) 5/24/86 .\" -.TH KRLOGIND 8C "Kerberos Version 5.0" "MIT Project Athena" +.so man1/header.doc +.TH KLOGIND 8C \*h .SH NAME -krlogind \- remote login server +klogind \- remote login server .SH SYNOPSIS -.B /etc/rlogind +.B klogind [ .B \-kr54cpPe ] .SH DESCRIPTION -.I Krlogind +.I Klogind is the server for the .IR rlogin (1C) program. The server is -based on rlogind(8C) but uses kerberos authentication. +based on rlogind(8C) but uses Kerberos authentication. .PP The -.I krlogind -server is invoked by \fIinetd(8c)\fP when it receives a -connection on the port indicated in /etc/inetd.conf. A typical -/etc/inetd.conf configuration line for \fIkrlogind\fP might be: +.I klogind +server is invoked by \fIinetd(8c)\fP when it receives a connection on +the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf +configuration line for \fIklogind\fP might be: -klogin stream tcp nowait root /krb5/sbin/krlogind krlogind -e5c +klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c When a service request is received, the following protocol is initiated: @@ -41,20 +42,22 @@ If the authentication succeeds, login the user by calling the accompanying login.krb5 or /bin/login, according to the definition of DO_NOT_USE_K_LOGIN. .PP -The configuration of \fIkrlogind\fP is done +The configuration of \fIklogind\fP is done by command line arguments passed by inetd. The options are: .IP \fB\-5\fP 10 -Allow Kerberos5 authentication with the \fI.k5login\fP access control file -to be trusted. If this authentication system is used by the client and the -authorization check is passed, then the user is allowed to log in. +Allow Kerberos V5 authentication with the \fI.k5login\fP access control +file to be trusted. If this authentication system is used by the client +and the authorization check is passed, then the user is allowed to log +in. .IP \fB\-4\fP -Allow Kerberos4 authentication with the \fI.klogin\fP access control file -to be trusted. If this authentication system is used by the client and the -authorization check is passed, then the user is allowed to log in. +Allow Kerberos V4 authentication with the \fI.klogin\fP access control +file to be trusted. If this authentication system is used by the client +and the authorization check is passed, then the user is allowed to log +in. .IP \fB\-k\fP -Allow Kerberos5 and Kerberos4 as acceptable authentication +Allow Kerberos V5 and Kerberos V4 as acceptable authentication mechanisms. This is the same as including \fB\-4\fP and \fB\-5\fP. .IP \fB\-r\fP @@ -77,16 +80,16 @@ to all other checks. Create an encrypted session. .IP \fB\-c\fP -Require Kerberos5 clients to present a cryptographic -checksum of initial connection information like the name of the user -that the client is trying to access in the initial authenticator. -This checksum provides additionl security by preventing an attacker -from changing the initial connection information. To benefit from -this security, only Kerberos5 should be trusted; Kerberos4 and rhosts -authentication do not include this checksum. If this option is -specified, older Kerberos5 clients that do not send a checksum in the -authenticator will not be able to authenticate to this server. This -option is mutually exclusive with the \fB-i\fP option. +Require Kerberos V5 clients to present a cryptographic checksum of +initial connection information like the name of the user that the client +is trying to access in the initial authenticator. This checksum +provides additionl security by preventing an attacker from changing the +initial connection information. To benefit from this security, only +Kerberos V5 should be trusted; Kerberos V4 and rhosts authentication do +not include this checksum. If this option is specified, older Kerberos +V5 clients that do not send a checksum in the authenticator will not be +able to authenticate to this server. This option is mutually exclusive +with the \fB-i\fP option. If neither the \fB-c\fP or \fB-i\fP options are specified,then checksums are validated if presented. Since it is difficult to remove @@ -124,11 +127,13 @@ environment variable, ``TERM''; see .IR environ (7). The screen or window size of the terminal is requested from the client, and window size changes from the client are propagated to the pseudo terminal. -.PP .I Krlogind supports three options which are used for testing +.PP +.I Klogind +supports three options which are used for testing purposes: -.IP \fB\-S\ srvtab\fP 10 -Set the \fIsrvtab\fP file to use. +.IP \fB\-S\ keytab\fP 10 +Set the \fIkeytab\fP file to use. .IP \fB\-M\ realm\fP Set the Kerberos realm to use. @@ -136,7 +141,7 @@ Set the Kerberos realm to use. .IP \fB\-L\ login\fP Set the login program to use. This option only has an effect if DO_NOT_USE_K_LOGIN was not defined when -.I krlogind +.I klogind was compiled. .SH DIAGNOSTICS All diagnostic messages are returned on the connection diff --git a/src/appl/bsd/kshd.M b/src/appl/bsd/kshd.M index 9b263ec0d..3ebe5cf8d 100644 --- a/src/appl/bsd/kshd.M +++ b/src/appl/bsd/kshd.M @@ -4,7 +4,8 @@ .\" .\" @(#)rshd.8c 6.3 (Berkeley) 5/24/86 .\" -.TH KRSHD 8C "Kerberos Version 5.0" "MIT Project Athena" +.so man1/header.doc +.TH KRSHD 8C \*h .SH NAME kshd \- kerberized remote shell server .SH SYNOPSIS @@ -107,8 +108,8 @@ connect from a privileged port. .PP \fIKrshd\fP supports four options which may be used for testing: -.IP \fB\-S\ srvtab\fP 10 -Set the \fIsrvtab\fP file to use. +.IP \fB\-S\ keytab\fP 10 +Set the \fIkeytab\fP file to use. .IP \fB\-M\ realm\fP Set the Kerberos realm to use. diff --git a/src/appl/bsd/login.M b/src/appl/bsd/login.M index 222abab54..7fc13d26b 100644 --- a/src/appl/bsd/login.M +++ b/src/appl/bsd/login.M @@ -1,26 +1,28 @@ .\" login.1 .\" -.TH LOGIN 8C "Kerberos Version 5.0" "MIT Project Athena" +.so man1/header.doc +.TH LOGIN 8C \*h .SH NAME -login \- kerberos enhanced login program +login.krb5 \- kerberos enhanced login program .SH SYNOPSIS -.B /sbin/login.krb5 +.B login.krb5 [ .B \-fF [username] ] .SH DESCRIPTION -.I login -is a modification of the BSD login program which is used for two functions. -It is the sub-process used by krlogind and telnetd to initiate a user session -and it is a replacement for the command-line login program which, when -invoked with a password, acquires Kerberos tickets for the user. +.I login.krb5 +is a modification of the BSD login program which is used for two +functions. It is the sub-process used by krlogind and telnetd to +initiate a user session and it is a replacement for the command-line +login program which, when invoked with a password, acquires Kerberos +tickets for the user. .PP -.I login +.I login.krb5 will prompt for a username, or take one on the command line, as -.I login username -and will then prompt for a password. This password will be used to acquire -Kerberos Version 5 tickets and Kerberos Version 4 tickets (if -possible.) It will also attempt to run +.I login.krb5 username +and will then prompt for a password. This password will be used to +acquire Kerberos Version 5 tickets and Kerberos Version 4 tickets (if +possible.) It will also attempt to run .I aklog to get \fIAFS\fP tokens for the user. The version 5 tickets will be tested against a local @@ -29,12 +31,30 @@ if it is available, in order to verify the tickets, before letting the user in. However, if the password matches the entry in \fI/etc/passwd\fP the user will be unconditionally allowed (permitting use of the machine in case of network failure.) -.PP -.I login +.SH OPTIONS +.TP +\fB\-r\fP \fIhostname\fP +pass hostname to rlogind. +.TP +\fB\-h\fP \fIhostname\fP +pass hostname to telnetd, etc. +.TP +\fB\-f\fP \fIname\fP +Perform pre-authenticated login, e.g., datakit, xterm, etc.; does not +allow preauthenticated login as root. +.TP +\fB\-F\fP \fIname\fP +Perform pre-authenticated login, e.g.,for datakit, xterm, etc.; allows +preauthenticated login as root. +.TP +\fB\-e\fP \fIname\fP +Perform pre-authenticated, encrypted login. Must do term negotiation. +.SH CONFIGURATION +.I login.krb5 is also configured via .I krb5.conf using the -.I \[login\] +.I login stanza. A collection of options dealing with initial authentication are provided: .IP krb5_get_tickets diff --git a/src/appl/bsd/rcp.M b/src/appl/bsd/rcp.M index 39b13c40e..ea6812070 100644 --- a/src/appl/bsd/rcp.M +++ b/src/appl/bsd/rcp.M @@ -17,131 +17,144 @@ .\" .\" @(#)rcp.1 6.6 (Berkeley) 9/20/88 .\" -.TH RCP 1 "Kerberos Version 5.0" "MIT Project Athena" +.so man1/header.doc +.TH RCP 1 \*h .SH NAME rcp \- remote file copy .SH SYNOPSIS .B rcp -[ -.B \-p -] [ -.B \-x -] [ -.B \-k -realm ] [ -.B \-D -port ] [ -.B \-N -] file1 file2 -.br +[\fB\-p\fP] [\fB\-x\fP | \fB\-\-encrypt\fP] [\fB\-k\fP \fIrealm\fP ] +[\fB\-D\fP \fIport\fP] [\fB\-N\fP] +.I file1 file2 +.sp .B rcp -[ -.B \-p -] [ -.B \-x -] [ -.B \-k -realm ] [ -.B \-r -] [ -.B \-D -port ] [ -.B \-N -] file ... directory +[\fB\-p\fB] [\fB\-x\fP | \fB\-\-encrypt\fP] [\fP\-k\fP \fIrealm\fP] +[\fB\-r\fP] [\fB\-D\fP \fIport\fP] [\fB\-N\fP] +.I file ... directory .SH DESCRIPTION -.I Rcp +.B Rcp copies files between machines. Each .I file or .I directory -argument is either a remote file name of the -form ``rhost:path'', or a local file name (containing no `:' characters, -or a `/' before any `:'s). -.PP -If the -.B \-r -option -is specified and any of the source files are directories, -.I rcp -copies each subtree rooted at that name; in this case -the destination must be a directory. +argument is either a remote file name of the form ``rhost:path'', or a +local file name (containing no `:' characters, or a `/' before any +`:'s). .PP By default, the mode and owner of .I file2 -are preserved if it already existed; otherwise the mode of the source file -modified by the +are preserved if it already existed; otherwise the mode of the source +file modified by the .IR umask (2) on the destination host is used. -The -.B \-p -option causes -.I rcp -to attempt to preserve (duplicate) in its copies the modification -times and modes of the source files, ignoring the -.IR umask . .PP If .I path -is not a full path name, it is interpreted relative to -your login directory on +is not a full path name, it is interpreted relative to your login +directory on .IR rhost . A .I path -on a remote host may be quoted (using \e, ", or \(aa) -so that the metacharacters are interpreted remotely. +on a remote host may be quoted (using \e, ", or \(aa) so that the +metacharacters are interpreted remotely. .PP -.I Rcp +.B Rcp does not prompt for passwords; it uses Kerberos authentication when connecting to .IR rhost . -Each user may have a private authorization list in a file \&.k5login -in his login directory. Each line in this file should contain a -Kerberos principal name of the form +Each user may have a private authorization list in a file \&.k5login in +his login directory. Each line in this file should contain a Kerberos +principal name of the form .IR principal/instance@realm . If there is a ~/.k5login file, then access is granted to the account if and only if the originater user is authenticated to one of the principals named in the ~/.k5login file. Otherwise, the originating user will be granted access to the account if and only if the authenticated principal name of the user can be mapped to the local -account name using the aname -> lname mapping rules (see \fIkrb5_anadd(8)\fP +account name using the aname -> lname mapping rules (see +.IR krb5_anadd (8) for more details). -.PP -The -.B \-x -option selects encryption of all information transferring between hosts. -The -.B \-k -.I realm -option causes -.I rcp -to obtain tickets for the remote host in +.SH OPTIONS +.TP +.B \-p +attempt to preserve (duplicate) the modification times and modes of the +source files in the copies, ignoring the +.IR umask . +.TP +\fB\-x\fP | \fB\-\-encrypt\fP +encrypt all information transferring between hosts. +.TP +\fB\-k\fP \fIrealm\fP +obtain tickets for the remote host in .I realm instead of the remote host's realm as determined by .IR krb_realmofhost (3). -.PP -The -.B \-D -option specifies the port to connect to on the remote machine. The +.TP +.B \-r +if any of the source files are directories, copy each subtree rooted at +that name; in this case the destination must be a directory. +.TP +\fB\-D\fP \fIport\fP +connect to port +.I port +on the remote machine. +.TP .B \-N -option tells rcp to use a network connection even when copying files -on the local machine. These options are used for testing purposes. +use a network connection, even when copying files on the local machine +(used for testing purposes). .PP -.I Rcp -handles third party copies, where neither source nor target files -are on the current machine. -Hostnames may also take the form ``rname@rhost'' to use +.B Rcp +handles third party copies, where neither source nor target files are on +the current machine. Hostnames may also take the form ``rname@rhost'' +to use .I rname rather than the current user name on the remote host. +.SH CONFIGURATION +The following defaults may be specified in the [appdefaults] or [realms] +section of the +.IR krb5.conf (5) +file: +.TP "\w'.B encrypt\ \ 'u" +.B encrypt +Whether or not to encrypt the data stream. Takes a boolean argument. +.PP +For example: +.sp +.nf +.in +1i +[appdefaults] + rcp = { + encrypt = true + } +[realms] + FUBAR.ORG = { + rcp = { + encrypt = false + } + } +.in -1i +.fi +.sp +.SH FILES +.TP "\w'/etc/krb5.conf\ \ 'u" +/etc/krb5.conf +file containing local host's Kerberos V5 configuration information +.sp -1v +.TP +~/.k5login +(on remote host) - file containing Kerberos principals that are allowed +access. .SH SEE ALSO cp(1), ftp(1), rsh(1), rlogin(1), kerberos(3), krb_getrealm(3), -rcp(1) [UCB version] +krb5.conf(5), rcp(1) [UCB version] .SH BUGS -Doesn't detect all cases where the target of a copy might -be a file in cases where only a directory should be legal. +.B Rcp +doesn't detect all cases where the target of a copy might be a file in +cases where only a directory should be legal. .PP -Is confused by any output generated by commands in a -\&.login, \&.profile, or \&.cshrc file on the remote host. +.B Rcp +is confused by any output generated by commands in a \&.login, +\&.profile, or \&.cshrc file on the remote host. .PP Kerberos is only used for the first connection of a third-party copy; the second connection uses the standard Berkeley rcp protocol. - diff --git a/src/appl/bsd/rlogin.M b/src/appl/bsd/rlogin.M index d3774d585..7267a159c 100644 --- a/src/appl/bsd/rlogin.M +++ b/src/appl/bsd/rlogin.M @@ -16,43 +16,20 @@ .\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" .\" @(#)rlogin.1 6.9 (Berkeley) 9/19/88 -.\" -.TH RLOGIN 1 "Kerberos Version 5.0" "MIT Project Athena" +.\" " +.so man1/header.doc +.TH RLOGIN 1 \*h .SH NAME rlogin \- remote login .SH SYNOPSIS .B rlogin -rhost [ -\fB\-e\fR\fI\|c\fR -] [ -.B \-8 -] [ -.B \-c -] [ -.B \-a -] [ -.B \-f -] [ -.B \-F -] [ -.B \-t -termtype ] [ -.B \-n -] [ -.B \-7 -] [ -.B \-d -] [ -.B \-k -realm ] [ -.B \-x -] [ -.B \-noflow -] [ -.B \-L -] [ -.B \-l -username ] +.I rhost +[\fB\-e\fP\fI\|c\fP] [\fB\-8\fP] [\fB\-c\fP] [ \fB\-a\fP] [\fB\-f\fP | +\fB\-\-forward\fP] [\fB\-\-noforward\fP] [\fB\-F\fP | +\fB\-\-forwardable\fP] [\fB\-\-noforwardable\fP] [\fB\-t\fP +\fItermtype\fP] [\fB\-n\fP] [\fB\-7\fP] [\fB\-d\fP] [\fB\-k\fP +\fIrealm\fP] [\fB\-x\fP | \fB\-\-encrypt\fP] [\fB\-\-noencrypt\fP] +[\fB\-\-noflow\fP] [\fB\-L\fP] [\fB\-l\fP \fIusername\fP] .PP .SH DESCRIPTION .I Rlogin @@ -66,18 +43,17 @@ standard Berkeley rlogin(1), except that instead of the \fIrhosts\fP mechanism, it uses Kerberos authentication to determine the authorization to use a remote account. .PP -Each user may have a private authorization list in a file \&.k5login -in his login directory. Each line in this file should contain a -Kerberos principal name of the form +Each user may have a private authorization list in a file \&.k5login in +his login directory. Each line in this file should contain a Kerberos +principal name of the form .IR principal/instance@realm . If the originating user is authenticated to one of the principals named in \&.k5login, access is granted to the account. If there is no -/.k5login file, the principal will be granted access -to the account according to the aname\->lname mapping rules (see +/.k5login file, the principal will be granted access to the account +according to the aname\->lname mapping rules. (See .IR krb5_anadd(8) -for more details) -Otherwise -a login and password will be prompted for on the remote machine as in +for more details.) Otherwise a login and password will be prompted for +on the remote machine as in .IR login (1). To avoid some security problems, the \&.k5login file must be owned by the remote user. @@ -86,101 +62,149 @@ If there is some problem in marshaling the Kerberos authentication information, an error message is printed and the standard UCB rlogin is executed in place of the Kerberos rlogin. .PP -A line of the form ``~.'' disconnects from the remote host, where -``~'' is the escape character. -Similarly, the line ``~^Z'' (where ^Z, control-Z, is the suspend character) -will suspend the rlogin session. -Substitution of the delayed-suspend character (normally ^Y) -for the suspend character suspends the send portion of the rlogin, -but allows output from the remote system. +A line of the form ``~.'' disconnects from the remote host, where ``~'' +is the escape character. Similarly, the line ``~^Z'' (where ^Z, +control-Z, is the suspend character) will suspend the rlogin session. +Substitution of the delayed-suspend character (normally ^Y) for the +suspend character suspends the send portion of the rlogin, but allows +output from the remote system. .PP -The remote terminal type is the same as your local -terminal type (as given in your environment TERM variable), unless the +The remote terminal type is the same as your local terminal type (as +given in your environment TERM variable), unless the .B \-t -option is specified (see below). -The terminal or window size is also copied to the remote system -if the server supports the option, -and changes in size are reflected as well. -.PP -All echoing takes place at the remote site, so that (except for -delays) the rlogin is transparent. Flow control via ^S and ^Q and -flushing of input and output on interrupts are handled properly. -.PP -The +option is specified (see below). The terminal or window size is also +copied to the remote system if the server supports the option, and +changes in size are reflected as well. +.PP +All echoing takes place at the remote site, so that (except for delays) +the rlogin is transparent. Flow control via ^S and ^Q and flushing of +input and output on interrupts are handled properly. +.SH OPTIONS +.TP .B \-8 -option allows an eight-bit input data path at all times; -otherwise parity bits are stripped except when the remote side's -stop and start characters are other than ^S/^Q. Eight-bit mode is the default. -.PP -The +allows an eight-bit input data path at all times; otherwise parity bits +are stripped except when the remote side's stop and start characters are +other than ^S/^Q. Eight-bit mode is the default. +.TP .B \-L -option allows the rlogin session to be run in litout mode. -.PP -The -.B \-e -option allows specification of a different escape character. +allows the rlogin session to be run in litout mode. +.TP +\fB\-e\fP\fIc\fP +sets the escape character to +.IR c . There is no space separating this option flag and the new escape character. -.PP -The +.TP .B \-c -option requires confirmation before disconnecting via ``~.'' -.PP -The +require confirmation before disconnecting via ``~.'' +.TP .B \-a -option forces the remote machine to ask for a password by sending a null local +force the remote machine to ask for a password by sending a null local username. This option has no effect unless the standard UCB rlogin is executed in place of the Kerberos rlogin (see above). -.PP -The -.B \-f -option forwards the local credentials to the remote system -but marks the remote credentials as Non-forwardable. -.PP -The -.B \-F -option forwards the local credentials to the remote system -and marks the remote credentials as Forwardable. -.PP -The -.B \-t -option replaces the terminal type passed to the remote host with -\fItermtype\fP. -.PP -The +.TP +\fB\-f\fP | \fB\-\-forward\fP +forward a copy of the local credentials to the remote system. +.TP +.B \-\-noforward +disables ticket forwarding. This is useful for overriding the +application defaults in the host's +.IR krb5.conf (5) +file. +.TP +\fB\-F\fP | \fB\-\-forwardable\fP +forward a +.I forwardable +copy of the local credentials to the remote system. +.TP +.B \-\-noforwardable +makes any forwarded tickets non-forwardable. This is useful for +overriding the application defaults in the host's +.IR krb5.conf (5) +file. +.TP +\fB\-t\fP \fItermtype\fP +replace the terminal type passed to the remote host with +.IR termtype . +.TP .B \-n -option prevents suspension of rlogin via ``~^Z'' or ``~^Y''. -.PP -The +prevent suspension of rlogin via ``~^Z'' or ``~^Y''. +.TP .B \-7 -option forces seven-bit transmissions. -.PP -The +force seven-bit transmissions. +.TP .B \-d -option turns on socket debugging (via \fIsetsockopt(2)\fR) on the TCP -sockets used for communication with the remote host. -.PP -The -.B \-noflow -option forces transmission of flow control characters (^S/^Q) to the -remote system. -.PP -The +turn on socket debugging (via +.IR setsockopt (2)) +on the TCP sockets used for communication with the remote host. +.TP +.B \-\-noflow +force transmission of flow control characters (^S/^Q) to the remote +system. +.TP .B \-k -option requests rlogin to obtain tickets for the remote host in realm +request rlogin to obtain tickets for the remote host in realm .I realm instead of the remote host's realm as determined by .IR krb_realmofhost (3). -.PP -The -.B \-x -option turns on DES encryption for all data passed via the -rlogin session. This significantly reduces response time and -significantly increases CPU utilization. +.TP +\fB\-x\fP | \fB\-\-encrypt\fP +turn on DES encryption for all data passed via the rlogin session. This +significantly reduces response time and significantly increases CPU +utilization. +.TP +.B \-\-noencrypt +disables encryption. This is useful for overriding the application +defaults in the host's +.IR krb5.conf (5) +file. +.SH CONFIGURATION +The following defaults may be specified in the [appdefaults] or [realms] +section of the +.IR krb5.conf (5) +file: +.TP "\w'.B forwardable\ \ 'u" +.B forwardable +Whether or not any forwarded tickets should be forwardable. Takes a +boolean argument. +.TP +.B forward +Whether or not to forward tickets to the remote host. Takes a boolean +argument. +.TP +.B encrypt +Whether or not to encrypt the data stream. Takes a boolean argument. +.PP +For example: +.sp +.nf +.in +1i +[appdefaults] + rlogin = { + forwardable = true + forward = true + encrypt = true + } +[realms] + FUBAR.ORG = { + rlogin = { + forward = false + } + } +.in -1i +.fi +.sp .SH SEE ALSO rsh(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3), -rlogin(1) [UCB version] +krb5.conf(5), rlogin(1) [UCB version] .SH FILES -\&.k5login in the user's home directory +.TP "\w'/etc/krb5.conf\ \ 'u" +/etc/krb5.conf +file containing local host's Kerberos V5 configuration information +.sp -1v +.TP +~/\&.k5login +(on remote host) - file containing Kerberos principals that are allowed +access. .SH BUGS More of the environment should be propagated. diff --git a/src/appl/bsd/rsh.M b/src/appl/bsd/rsh.M index d073832b5..3767d2b9a 100644 --- a/src/appl/bsd/rsh.M +++ b/src/appl/bsd/rsh.M @@ -16,116 +16,149 @@ .\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" .\" @(#)rsh.1 6.2 (Berkeley) 9/20/88 -.\" -.TH RSH 1 "Kerberos Version 5.0" "MIT Project Athena" +.\" " +.so man1/header.doc +.TH RSH 1 \*h .SH NAME rsh \- remote shell .SH SYNOPSIS .B rsh -host -[ -.B \-l -username -] [ -.B \-n -] [ -.B \-d -] [ -.B \-k -realm ] [ -.B \-f | \-F -] [ -.B \-x -] [ -.B \-A -] command +.I host +[\fB\-l\fP \fIusername\fP] [\fB\-n\fP] [\fB\-d\fP] [\fB\-k\fP +\fIrealm\fP] [\fB\-f\fP | \fB\-\-forward\fP | \fB\-F\fP | +\fB\-\-forwardable\fP] [\fB\-\-noforward\fP] [\fB\-\-noforwardable\fP] +[\fB\-x\fP | \fB\-\-encrypt\fP] [\fB\-\-noencrypt\fP] [\fB\-\-noflow\fP] +.I command .SH DESCRIPTION -.I Rsh +.B Rsh connects to the specified .I host, and executes the specified \fIcommand\fR. -.I Rsh -copies its standard input to the remote command, the standard -output of the remote command to its standard output, and the -standard error of the remote command to its standard error. -Interrupt, quit and terminate signals are propagated to the remote -command; \fIrsh\fP normally terminates when the remote command does. -.PP -The remote username used is the same as your local username, -unless you specify a different remote name with the -.B \-l -option. +.B Rsh +copies its standard input to the remote command, the standard output of +the remote command to its standard output, and the standard error of the +remote command to its standard error. This implementation of +.B rsh +will accept any port for the standard error stream. Interrupt, quit and +terminate signals are propagated to the remote command; \fIrsh\fP +normally terminates when the remote command does. .PP -Each user may have a private authorization list in a file \&.k5login -in his login directory. Each line in this file should contain a -Kerberos principal name of the form +Each user may have a private authorization list in a file \&.k5login in +his login directory. Each line in this file should contain a Kerberos +principal name of the form .IR principal/instance@realm . If there is a ~/.k5login file, then access is granted to the account if and only if the originater user is authenticated to one of the princiapls named in the ~/.k5login file. Otherwise, the originating user will be granted access to the account if and only if the authenticated principal name of the user can be mapped to the local -account name using the aname -> lname mapping rules (see \fIkrb5_anadd(8)\fP +account name using the aname -> lname mapping rules (see +.IR krb5_anadd (8) for more details). -.PP -The -.B \-x -option causes the network session traffic to be encrypted. -.PP +.SH OPTIONS +.TP +\fB\-l\fP \fIusername\fP +sets the remote username to +.IR username . +Otherwise, the remote username will be the same as the local username. +.TP +\fB\-x\fP | \fB\-\-encrypt\fP +causes the network session traffic to be encrypted. +.TP +.B \-\-noencrypt +disables encryption. This is useful for overriding the application +defaults in the host's +.IR krb5.conf (5) +file. +.TP +\fB\-f\fP | \fB\-\-forward\fP The .B \-f and +.B \-\-forward +options cause Kerberos credentials to be forwarded to the remote machine +for use by the specified +.IR command . +They will be removed when +.I command +finishes. This option is mutually exclusive with the .B \-F -options cause Kerberos credentials to be forwarded to the remote machine for -use by the specified \fIcommand\fR. They will be removed when \fIcommand\fR -finishes. If -.B \-F -is used, the forwarded credentials are themselves forwardable to other -machines. -.PP +or +.B \-\-forwardable +options. +.TP +\fB\-F\fP | \fB\-\-forwardable\fP The -.B \-k -\fIrealm\fP option causes +.B \-F +and +.B \-\-forwardable +options cause +.I forwardable +Kerberos credentials to be forwarded to the remote machine for use by +the specified +.IR command . +They will be removed when +.I command +finishes. This option is mutually exclusive with the +.B \-f +or +.B \-\-forward +options. +.TP +.B \-\-noforward +disables ticket forwarding. This is useful for overriding the +application defaults in the host's +.IR krb5.conf (5) +file. +.TP +.B \-\-noforwardable +makes any forwarded tickets non-forwardable. This is useful for +overriding the application defaults in the host's +.IR krb5.conf (5) +file. +.TP +\fB\-k\fP\fIrealm\fP +causes .I rsh to obtain tickets for the remote host in .I realm instead of the remote host's realm as determined by .IR krb_realmofhost (3). -.PP -The +.TP .B \-d -option turns on socket debugging (via \fIsetsockopt(2)\fR) on the TCP -sockets used for communication with the remote host. -.PP -The +turns on socket debugging (via +.IR setsockopt (2)) +on the TCP sockets used for communication with the remote host. +.TP .B \-n -option redirects input from the special device +redirects input from the special device .I /dev/null (see the BUGS section below). -.PP -The -.B \-A -option accepts any port number for the stderr stream. Normally -.I rsh -requires a reserved port number. This option is used for debugging. +.TP +.B \-\-noflow +If +.B rsh +causes you to be logged into the remote host using +.IR rlogin (1), +this option passes the \-\-noflow option to +.IR rlogin . .PP If you omit -.I command, -then instead of executing a single command, you will be logged in -on the remote host using +.IR command , +then instead of executing a single command, you will be logged in on the +remote host using .IR rlogin (1). .PP -Shell metacharacters which are not quoted are interpreted -on local machine, while quoted metacharacters are interpreted on -the remote machine. -Thus the command +Shell metacharacters which are not quoted are interpreted on the local +machine, while quoted metacharacters are interpreted on the remote +machine. Thus the command .PP \ \ \ rsh otherhost cat remotefile >> localfile .PP appends the remote file .I remotefile to the local file -.I localfile, +.IR localfile , while .PP \ \ \ rsh otherhost cat remotefile ">>" otherremotefile @@ -133,31 +166,72 @@ while appends .I remotefile to -.I otherremotefile. +.IR otherremotefile . +.SH CONFIGURATION +The following defaults may be specified in the [appdefaults] or [realms] +section of the +.IR krb5.conf (5) +file: +.TP "\w'.B forwardable\ \ 'u" +.B forwardable +Whether or not any forwarded tickets should be forwardable. Takes a +boolean argument. +.TP +.B forward +Whether or not to forward tickets to the remote host. Takes a boolean +argument. +.TP +.B encrypt +Whether or not to encrypt the data stream. Takes a boolean argument. +.PP +For example: +.sp +.nf +.in +1i +[appdefaults] + rsh = { + forwardable = true + forward = true + encrypt = true + } +[realms] + FUBAR.ORG = { + rsh = { + forward = false + } + } +.in -1i +.fi +.sp .SH FILES -.ta 2i +.TP "\w'/etc/krb5.conf\ \ 'u" /etc/hosts -.br -\&.k5login in the user's home directory -.DT +.sp -1v +.TP +/etc/krb5.conf +file containing local host's Kerberos V5 configuration information +.sp -1v +.TP +~/\&.k5login +(on remote host) - file containing Kerberos principals that are allowed +access. .SH SEE ALSO -rlogin(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3) +rlogin(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3), +krb5.conf(5) .SH BUGS If you are using .IR csh (1) and put a .IR rsh (1) -in the background without redirecting its input -away from the terminal, it will block even if no reads -are posted by the remote command. If no input is desired -you should redirect the input of +in the background without redirecting its input away from the terminal, +it will block even if no reads are posted by the remote command. If no +input is desired you should redirect the input of .I rsh to /dev/null using the .B \-n option. .PP -You cannot run an interactive command -(like +You cannot run an interactive command (like .IR rogue (6) or .IR vi (1)); @@ -165,5 +239,5 @@ use .IR rlogin (1). .PP Stop signals stop the local \fIrsh\fP process only; this is arguably -wrong, but currently hard to fix for reasons too complicated to -explain here. +wrong, but currently hard to fix for reasons too complicated to explain +here.