Administration Reference

rsh (AFS version)

Purpose

Opens a shell on a remote machine

Synopsis

rsh host  [-n]  [-l <username>]  <command>
   
host  [-n]  [-l <username>]    <command>

Description

The AFS-modified rsh program functions like the standard UNIX rsh program, but also passes the issuer's AFS token to the remote machine's Cache Manager, to enable authenticated access to the AFS filespace via that machine.

Token passing is most effective if both the remote machine and local machine belong to the same cell, because the rsh program can pass only one token even if the user has several tokens--it passes the token listed first in the output from the tokens command. If the remote and local machine do not belong to the same cell, the first token must be valid for the remote machine's cell, in order for the remote cell's server processes to recognize the issuer as authenticated.

In addition to running the AFS version of the rsh binary on the machine where the rsh command is issued, other configuration changes are necessary for token passing to work properly. See the Cautions section for a list.

The AFS version of the rsh command is compatible with the standard UNIX inetd command, but token passing works only if both programs are modified to handle AFS tokens. If only one of them is modified, the issuer accesses the AFS filespace through the remote machine as the user anonymous.

Cautions

Some operating systems assign an alternate name to this program, such as remsh. The version included in the AFS distribution uses the same name as the operating system.

The AFS distribution does not include an AFS-modified version of this command for every system type, in some cases because the operating system vendor has already modified the standard version in the required way. For details, see the IBM AFS Release Notes.

For security's sake, use the AFS version of the rsh command only in conjunction with PAGs, either by using an AFS-modified login utility, issuing the pagsh command before obtaining tokens, or including the -setpag flag to the klog command.

Several configuration requirements and restrictions are necessary for token passing to work correctly with the AFS version of the rsh command. Some of these are also necessary with the standard UNIX version, but are included here because the issuer used to AFS protections is possibly unlikely to think of them. There are possibly other UNIX-based requirements or restrictions not mentioned here; consult the UNIX manual page for the rsh command. (One important one is that no stty commands can appear in the issuer's shell initialization file, such as the .cshrc file.)

The requirements and restrictions for token passing include the following.

• The local machine must be running the AFS version of the rsh command, with the binary file locally installed to grant setuid privilege to the owner, the local superuser root.

• The remote machine must be running the AFS version of the inetd program.

• If the rsh command is to consult an .rhosts file on the remote machine, the file must have UNIX mode bits no more liberal than -rw-r--r--. If the .rhosts file resides in a user home directory in AFS, the home directory must also grant the l (lookup) and r (read) permissions to the system:anyuser group.

Options

Consult the UNIX manual page for the rsh command.

Privilege Required

None

Related Information

inetd (AFS version)

tokens

UNIX manual page for rsh or remsh

IBM AFS Release Notes