SSH and the r-commands (rsh, rcp, rlogin) can coexist peacefully on the same machine. Since the r-commands are insecure, however, system administrators should replace them by their SSH counterparts (ssh, scp, slogin). This replacement has two parts:
Installing SSH and removing rsh, rcp, and rlogin; requires some user retraining
Modifying other programs or scripts that invoke the r-commands
The r-commands are so similar to their analogous SSH commands, you might be tempted to rename the SSH commands as the r-commands (e.g., rename ssh as rsh, etc.). After all, common commands like these are practically identical in syntax:
$ rsh -l jones remote.example.com $ ssh -l jones remote.example.com $ rcp myfile remote.example.com: $ scp myfile remote.example.com:
Why not just rename? Well, the two sets of programs are incompatible in some ways. For example, some old versions of rcp use a different syntax for specifying remote filenames.
In the following sections, we discuss some common Unix programs that invoke the r-commands and how to adapt them to use SSH instead.
CVS is a version-control system. It maintains a history of changes to sets of files, and helps coordinate the work of multiple people on the same files. It can use rsh to connect to repositories on remote hosts. For example, when you check in a new version of a file:
$ cvs commit myfile
if the repository is located on a remote machine, CVS can invoke rsh to access the remote repository. For a more secure solution, CVS can run ssh instead of rsh. Of course, the remote machine must be running an SSH server, and if you use public-key authentication, your remote account must contain your key in the appropriate place.
To make CVS use ssh, simply set the
contain the path to your ssh client:
# Bourne shell family # Put in ~/.profile to make permanent. CVS_RSH=/usr/bin/ssh export CVS_RSH # C shell family # Put in ~/.login to make permanent. setenv CVS_RSH /usr/bin/ssh
This approach has one problem: each time you check in a file,
the logger’s name is the remote account owner, which might not be your
own. The problem is solved by manually setting the remote
LOGNAME variable using the
environment option in your remote authorized_keys file. [184.108.40.206]
The Emacs variable
remote-shell-program contains the path to
any desired program for invoking a remote shell. Simply redefine it to
be the full path to your ssh executable. Also,
the rlogin package, rlogin.el, defines a variable
rlogin-program you can redefine to use
The Pine mail reader uses rsh to invoke
mail-server software on remote machines. For example, it might invoke
the IMAP daemon, imapd, on a remote mail server.
Another program can be substituted for rsh by
changing the value of a Pine configuration variable,
rsh-path. This variable holds the name of
the program for opening remote shell connections, normally /usr/bin/rsh. A new value can be assigned
in an individual user’s Pine configuration file, ~/.pinerc, or in the systemwide Pine
configuration file, typically /usr/local/lib/pine.conf. For
# Set in a Pine configuration file rsh-path=/usr/local/bin/ssh
A second variable,
rsh-command, constructs the actual command
string to be executed for the remote mail server. The value is a
pattern in the style of the C function
printf(). Most likely, you won’t need to
change the value because both rsh and
ssh fit the default pattern, which is:
"%s %s -l %s exec /etc/r%sd"
The first three “%s” pattern substitutions refer to the
rsh-path value, the remote hostname, and the
remote username. (The fourth forms the remote mail daemon name, which
doesn’t concern us.) So, by default, if your username is
alice and the remote mail server is
rsh-command evaluates to:
/usr/bin/rsh mail.example.com -l alice ...
By changing the
/usr/local/bin/ssh mail.example.com -l alice ...
As we said, you probably don’t need to do anything with
rsh-command, but just in case, we’ve
included it for reference. We present a detailed case study of
integrating Pine and SSH later. [11.3]
rdist are software tools for synchronizing sets
of files between different directories on the same machine or on two
different hosts. Both can call rsh to connect to
a remote host, and both can easily use SSH instead: simply set the
RSYNC_RSH environment variable or
use the -e command-line option for
rsync, and use the -P option
with rdist. rsync with SSH
is a particularly simple and effective method to securely maintain
remote mirrors of whole directory trees.