Replacing r-Commands with SSH

SSH and the r-commands (rsh, rcp, rlogin) can coexist peacefully on the same machine. Since the r-commands are insecure, however, system administrators should replace them by their SSH counterparts (ssh, scp, slogin). This replacement has two parts:

  • Installing SSH and removing rsh, rcp, and rlogin; requires some user retraining

  • Modifying other programs or scripts that invoke the r-commands

The r-commands are so similar to their analogous SSH commands, you might be tempted to rename the SSH commands as the r-commands (e.g., rename ssh as rsh, etc.). After all, common commands like these are practically identical in syntax:

    $ rsh -l jones remote.example.com
    $ ssh -l jones remote.example.com

    $ rcp myfile remote.example.com:
    $ scp myfile remote.example.com:

Why not just rename? Well, the two sets of programs are incompatible in some ways. For example, some old versions of rcp use a different syntax for specifying remote filenames.

In the following sections, we discuss some common Unix programs that invoke the r-commands and how to adapt them to use SSH instead.

4.5.1 Concurrent Versions System (CVS)

CVS is a version-control system. It maintains a history of changes to sets of files, and helps coordinate the work of multiple people on the same files. It can use rsh to connect to repositories on remote hosts. For example, when you check in a new version of a file:

    $ cvs commit myfile

if the repository is located on a remote machine, CVS can invoke rsh to access the remote repository. For a more secure solution, CVS can run ssh instead of rsh. Of course, the remote machine must be running an SSH server, and if you use public-key authentication, your remote account must contain your key in the appropriate place.[41]

To make CVS use ssh, simply set the environment variable CVS_RSH to contain the path to your ssh client:

    # Bourne shell family
    # Put in ~/.profile to make permanent.
    CVS_RSH=/usr/bin/ssh
    export CVS_RSH

    # C shell family
    # Put in ~/.login to make permanent.
    setenv CVS_RSH /usr/bin/ssh

This approach has one problem: each time you check in a file, the logger’s name is the remote account owner, which might not be your own. The problem is solved by manually setting the remote LOGNAME variable using the environment option in your remote authorized_keys file. [8.2.5.1]

4.5.2 GNU Emacs

The Emacs variable remote-shell-program contains the path to any desired program for invoking a remote shell. Simply redefine it to be the full path to your ssh executable. Also, the rlogin package, rlogin.el, defines a variable rlogin-program you can redefine to use slogin.

4.5.3 Pine

The Pine mail reader uses rsh to invoke mail-server software on remote machines. For example, it might invoke the IMAP daemon, imapd, on a remote mail server. Another program can be substituted for rsh by changing the value of a Pine configuration variable, rsh-path. This variable holds the name of the program for opening remote shell connections, normally /usr/bin/rsh. A new value can be assigned in an individual user’s Pine configuration file, ~/.pinerc, or in the systemwide Pine configuration file, typically /usr/local/lib/pine.conf. For example:

    # Set in a Pine configuration file
    rsh-path=/usr/local/bin/ssh

A second variable, rsh-command, constructs the actual command string to be executed for the remote mail server. The value is a pattern in the style of the C function printf(). Most likely, you won’t need to change the value because both rsh and ssh fit the default pattern, which is:

    "%s %s -l %s exec /etc/r%sd"

The first three “%s” pattern substitutions refer to the rsh-path value, the remote hostname, and the remote username. (The fourth forms the remote mail daemon name, which doesn’t concern us.) So, by default, if your username is alice and the remote mail server is mail.example.com, rsh-command evaluates to:

    /usr/bin/rsh mail.example.com -l alice ...

By changing the rsh-path, it becomes instead:

    /usr/local/bin/ssh mail.example.com -l alice ...

As we said, you probably don’t need to do anything with rsh-command, but just in case, we’ve included it for reference. We present a detailed case study of integrating Pine and SSH later. [11.3]

4.5.4 rsync, rdist

rsync and rdist are software tools for synchronizing sets of files between different directories on the same machine or on two different hosts. Both can call rsh to connect to a remote host, and both can easily use SSH instead: simply set the RSYNC_RSH environment variable or use the -e command-line option for rsync, and use the -P option with rdist. rsync with SSH is a particularly simple and effective method to securely maintain remote mirrors of whole directory trees.



[41] CVS also has a remote-access method involving its own server, called pserver. This mechanism can be secured using SSH port forwarding instead; read Chapter 9 for the general technique.

Get SSH, The Secure Shell: The Definitive Guide, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.