diff options
-rw-r--r-- | usr.bin/rsh/pathnames.h | 4 | ||||
-rw-r--r-- | usr.bin/rsh/rsh.1 | 49 | ||||
-rw-r--r-- | usr.bin/rsh/rsh.c | 17 |
3 files changed, 56 insertions, 14 deletions
diff --git a/usr.bin/rsh/pathnames.h b/usr.bin/rsh/pathnames.h index 2c6550ce4a4..e23c6152dec 100644 --- a/usr.bin/rsh/pathnames.h +++ b/usr.bin/rsh/pathnames.h @@ -1,4 +1,5 @@ -/* * $OpenBSD: pathnames.h,v 1.2 1996/06/26 05:38:48 deraadt Exp $*/ +/* $OpenBSD: pathnames.h,v 1.3 2002/05/06 22:50:03 millert Exp $ */ + /* * Copyright (c) 1989 The Regents of the University of California. * All rights reserved. @@ -35,3 +36,4 @@ */ #define _PATH_RLOGIN "/usr/bin/rlogin" +#define _PATH_TELNET "/usr/bin/telnet" diff --git a/usr.bin/rsh/rsh.1 b/usr.bin/rsh/rsh.1 index 14e0207a634..2a3cc23ead0 100644 --- a/usr.bin/rsh/rsh.1 +++ b/usr.bin/rsh/rsh.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rsh.1,v 1.10 2001/06/23 23:15:37 hin Exp $ +.\" $OpenBSD: rsh.1,v 1.11 2002/05/06 22:50:03 millert Exp $ .\" .\" Copyright (c) 1983, 1990 The Regents of the University of California. .\" All rights reserved. @@ -53,6 +53,14 @@ executes on .Ar hostname . .Pp +.Em Note: +.Nm +has been deprecated in favor of +.Xr ssh 1 . +Use of +.Nm +is discouraged due to the inherent insecurity of host-based authentication. +.Pp .Nm copies its standard input to the remote command, the standard output of the remote command to its standard output, and the @@ -62,6 +70,12 @@ command; .Nm normally terminates when the remote command does. .Pp +.Nm +first attempts to use the Kerberos authorization mechanism, described below. +If the remote host does not support Kerberos the standard Berkeley +.Pa rhosts +authorization mechanism is used. +.Pp The options are as follows: .Bl -tag -width Ds .It Fl K @@ -84,9 +98,6 @@ By default, the remote username is the same as the local username. The .Fl l option allows the remote name to be specified. -Kerberos authentication is used, and authorization is determined -as in -.Xr rlogin 1 . .It Fl n Redirect input from the special device .Pa /dev/null @@ -98,7 +109,10 @@ section of this manual page). If no .Ar command is specified, you will be logged in on the remote host using -.Xr rlogin 1 . +.Nm rlogin +if it exists on the system or +.Xr telnet 1 +if not. .Pp If .Nm @@ -131,12 +145,33 @@ to .\" directory /usr/hosts. .\" If this directory is included in your search path, you can use the .\" shorthand ``host command'' for the longer form ``rsh host command''. +.Sh KERBEROS AUTHENTICATION +If Kerberos is configured on the system, each user may have a private +authorization list in the file +.Pa .klogin +in their home directory. +Each line in this file should contain a Kerberos principal name of the form +.Ar principal.instance@realm . +If the originating user is authenticated to one of the principals named in +.Pa .klogin , +access is granted to the account. +The principal +.Ar accountname.@localrealm +is granted access if there is no +.Pa .klogin +file. +Otherwise a login and password will be prompted for on the remote machine +as in +.Xr login 1 . +To avoid certain security problems, the +.Pa .klogin +file must be owned by the remote user. .Sh FILES .Bl -tag -width /etc/hosts -compact .It Pa /etc/hosts .El .Sh SEE ALSO -.Xr rlogin 1 , +.Xr telnet 1 , .Xr kerberos 3 , .Xr krb_realmofhost 3 , .Xr krb_sendauth 3 , @@ -169,7 +204,7 @@ or using .Nm rsh ; use -.Xr rlogin 1 +.Xr telnet 1 instead. .Pp Stop signals stop the local diff --git a/usr.bin/rsh/rsh.c b/usr.bin/rsh/rsh.c index 64b3bf31b55..4e390b43049 100644 --- a/usr.bin/rsh/rsh.c +++ b/usr.bin/rsh/rsh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsh.c,v 1.25 2002/02/19 19:39:39 millert Exp $ */ +/* $OpenBSD: rsh.c,v 1.26 2002/05/06 22:50:03 millert Exp $ */ /*- * Copyright (c) 1983, 1990 The Regents of the University of California. @@ -41,7 +41,7 @@ char copyright[] = #ifndef lint /*static char sccsid[] = "from: @(#)rsh.c 5.24 (Berkeley) 7/1/91";*/ -static char rcsid[] = "$OpenBSD: rsh.c,v 1.25 2002/02/19 19:39:39 millert Exp $"; +static char rcsid[] = "$OpenBSD: rsh.c,v 1.26 2002/05/06 22:50:03 millert Exp $"; #endif /* not lint */ #include <sys/types.h> @@ -173,14 +173,19 @@ main(argc, argv) if (!host && !(host = argv[optind++])) usage(); - /* if no further arguments, must have been called as rlogin. */ + /* if no command, login to remote host via rlogin or telnet. */ if (!argv[optind]) { - if (asrsh) - *argv = "rlogin"; seteuid(getuid()); setuid(getuid()); + if (asrsh) + *argv = "rlogin"; execv(_PATH_RLOGIN, argv); - (void)fprintf(stderr, "rsh: can't exec %s.\n", _PATH_RLOGIN); + if (errno == ENOENT) { + if (asrsh) + *argv = "telnet"; + execv(_PATH_TELNET, argv); + } + (void)fprintf(stderr, "rsh: can't exec %s.\n", _PATH_TELNET); exit(1); } |