NAME [Toc] [Back]
remsh, rexec - execute from a remote shell
SYNOPSIS [Toc] [Back]
remsh host [-l username] [-n] command
host [-l username] [-n] command
rexec host [-l username] [-n] command
In Kerberos V5 Network Authentication Environments [Toc] [Back]
remsh host [-l username] [-f|-F] [-k realm] [-P] [-n] command
host [-l username] [-f|-F] [-k realm] [-P] [-n] command
DESCRIPTION [Toc] [Back]
remsh connects to a specified host and executes a specified command.
The host name can be either the official name or an alias as
understood by gethostbyname() (see gethostent(3N) and hosts(4)).
remsh copies its standard input (stdin) to the remote command, the
standard output of the remote command to its standard output (stdout),
and the standard error of the remote command to its standard error
(stderr). Hangup, interrupt, quit, terminate, and broken pipe signals
are propagated to the remote command. remsh exits when the sockets
associated with stdout and stderr of the remote command are closed.
This means that remsh normally terminates when the remote command does
By default, remsh uses the following path when executing the specified
remsh uses the default remote login shell with the -c option to
execute the remote command. If the default remote shell is csh, csh
sources the remote .cshrc file before the command. remsh cannot be
used to run commands that require a terminal interface (such as vi) or
commands that read their standard error (such as more). In such
cases, use rlogin or telnet instead (see rlogin(1) and telnet(1)).
The remote account name used is the same as your local account name,
unless you specify a different remote name with the -l option. This
remote account name must be equivalent to the originating account. In
addition, the remote host account name must also conform to other
rules, which differ depending upon whether the remote host is
operating in a Kerberos V5 Network Authentication, i.e., secure
environment, or not.
In a non-secure, or traditional environment, the remote account name
must be equivalent to the originating account; no provision is made
for specifying a password with a command. For more details about
equivalent hosts and how to specify them, see hosts.equiv(4). The
files inspected by remshd on the remote host are /etc/hosts.equiv and
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
$HOME/.rhosts (see remshd(1M)).
In a Kerberos V5 Network Authentication environment, the local host
must be successfully authenticated before the remote account name is
checked for proper authorization. The authorization mechanism is
dependent on the command line options used to invoke remshd on the
remote host (i.e., -K, -R, -r, or -k). For more information on
Kerberos authentication and authorization see the Secure Internet
Services man page, sis(5) and remshd(1M).
Although Kerberos authentication and authorization may apply, the
Kerberos mechanism is not applied to the command or to its response.
All the information that is transferred between the local and remote
host is still sent in cleartext over the network.
The default Kerberos options for the applications are set in the
krb5.conf configuration file. Refer to the appdefaults Section in the
krb5.conf(4) manpage for more information. The options -f, and -F
described in the subsequent paragraphs, can be set in the krb5.conf
file with the tag names forward, and forwardable respectively. Refer
to the krb5.conf(4) manpage for more information on the appdefaults
The fallback option can be set in the krb5.conf file within the
appdefaults Section. If fallback is set to true and the kerberos
authentication fails, remsh will use the non-secure mode of
Note: Command line options override the configuration file
In a secure or Kerberos V5-based environment, the following command
line options are available:
-f Forward the ticket granting ticket (TGT) to the
remote system. The TGT is not forwardable from that
-F Forward the TGT to the remote system and have it
forwardable from there to another remote system. The
-f option and -F option are mutually exclusive.
-k realm Obtain tickets from the remote host in the specified
realm instead of the remote host's default realm as
specified in the configuration file krb.realms.
-P Disable Kerberos authentication.
If command, is not specified, instead of executing a single command,
you will be logged in on the remote host using rlogin (see rlogin(1)).
Any rlogin options typed in on the command line are transmitted to
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003
rlogin. If no command and the option -P are specified, rlogin will be
invoked with -P to indicate that Kerberos authentication (or secure
access) is not necessary. This means that if a password is requested,
the password will be sent in cleartext. If command is specified,
options specific to rlogin are ignored by remsh.
By default, remsh reads its standard input and sends it to the remote
command because remsh has no way to determine whether the remote
command requires input. The -n option redirects standard input to
remsh from /dev/null. This is useful when running a shell script
containing a remsh command, since otherwise remsh may use input not
intended for it. The -n option is also useful when running remsh in
the background from a job control shell, /usr/bin/csh or /usr/bin/ksh.
Otherwise, remsh stops and waits for input from the terminal keyboard
for the remote command. /usr/bin/sh automatically redirects its input
from /dev/null when jobs are run in the background.
Host names for remote hosts can also be commands (linked to remsh) in
the directory /usr/hosts. If this directory is specified in the $PATH
environment variable, you can omit remsh. For example, if remotehost
is the name of a remote host, /usr/hosts/remotehost is linked to
remsh, and if /usr/hosts is in your search path, the command
executes command on remotehost, and the command
is equivalent to
The rexec command works in the same way as remsh except that it uses
the rexec() library routine and rexecd for command execution (see
rexec(3N) and rexecd(1M)) and does not support Kerberos
authentication. rexec prompts for a password before executing the
command instead of using hosts.equiv for authentication. It should be
used in instances where a password to a remote account is known but
there are insufficient permissions for remsh.
EXAMPLES [Toc] [Back]
Shell metacharacters that are not quoted are interpreted on the local
host; quoted metacharacters are interpreted on the remote host. Thus
the command line:
remsh otherhost cat remotefile >> localfile
appends the remote file remotefile to the local file localfile, while
the command line
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: August 2003
remsh otherhost cat remotefile ">>" otherremotefile
appends remotefile to the remote file otherremotefile.
If the remote shell is /usr/bin/sh, the following command line sets up
the environment for the remote command before executing the remote
remsh otherhost . .profile 2>&- \; command
The 2>&- throws away error messages generated by executing .profile
when stdin and stdout are not a terminal.
The following command line runs remsh in the background on the local
system, and the output of the remote command comes to your terminal
remsh otherhost -n command &
The background remsh completes when the remote command does.
The following command line causes remsh to return immediately without
waiting for the remote command to complete:
remsh otherhost -n "command 1>&- 2>&- &"
(See remshd(1M) and sh(1)). If your login shell on the remote system
is csh, use the following form instead:
remsh otherhost -n "sh -c \"command 1>&- 2>&- &\""
RETURN VALUE [Toc] [Back]
If remsh fails to set up the secondary socket connection, it returns
2. If it fails in some other way, it returns 1. If it fully succeeds
in setting up a connection with remshd, it returns 0 once the remote
command has completed. Note that the return value of remsh bears no
relation to the return value of the remote command.
DIAGNOSTICS [Toc] [Back]
Besides the errors listed below, errors can also be generated by the
library functions rcmd() and rresvport(). In the case of IPv6
systems, the library functions rcmd() and rresvport() are replaced by
rcmd_af() and rresvport_af(); respectively, and can generate errors
(see rcmd(3N) and rcmd_af(3N)). These errors are preceded by the name
of the library function that generated them. remsh can produce the
following diagnostic messages:
Error! could not retrieve authentication type.
Please notify sys admin.
There are two authentication mechanisms used by remsh. One
authentication mechanism is based on Kerberos and the other
Hewlett-Packard Company - 4 - HP-UX 11i Version 2: August 2003
is not. The type of authentication mechanism is obtained
from a system file which is updated by inetsvcs_sec (see
inetsvcs_sec(1M)). If the system file does not contain
known authentication types, the above error is displayed.
Error in executing rlogin (rlogin is executed when the user
does not specify any commands to be executed). This is
followed by the error message specifying why the execution
shell/tcp: Unknown service
The ``shell'' service specification is not present in the
Can't establish stderr
remsh cannot establish secondary socket connection for
<system call>: ...
Error in executing system call. Appended to this error is a
message specifying the cause of the failure.
There is no entry for you (user ID uid) in /etc/passwd
Check with the system administrator to see if your entry in
the password file has been deleted by mistake.
Kerberos-specific errors are listed in sis(5).
WARNINGS [Toc] [Back]
For security reasons, the /etc/hosts.equiv and .rhosts files should
exist, even if empty, and they should be readable and writable only by
the owner. Note also that all information, including any passwords
asked for, is passed unencrypted between the two hosts.
If remsh is run with an interactive command, it hangs.
DEPENDENCIES [Toc] [Back]
remsh is the same service as rsh on BSD systems. The name was changed
due to a conflict with the existing System V command rsh (restricted
AUTHOR [Toc] [Back]
remsh was developed by the University of California, Berkeley.
FILES [Toc] [Back]
/usr/hosts/* for version of the command invoked only with
SEE ALSO [Toc] [Back]
rlogin(1), remshd(1M), rexecd(1M), inetsvcs_sec(1M), gethostent(3N),
Hewlett-Packard Company - 5 - HP-UX 11i Version 2: August 2003
rcmd(3N), rcmd_af(3N), rexec(3N), hosts(4), hosts.equiv(4),
Hewlett-Packard Company - 6 - HP-UX 11i Version 2: August 2003 [ Back ]