4.5. Replacing R-Commands with SSHSSH and the r-commands (rsh, rcp, rlogin) can coexist peacefully on the same machine. Since the r-commands are insecure, however, some system administrators prefer to replace them by their SSH counterparts (ssh, scp, slogin). This replacement has two parts:
Why not just rename? Well, the two sets of programs are incompatible in some ways. For example, not all versions of ssh support the "hostname link" feature of rsh [Section 2.7.3, "Hostname Links"], and some old versions of rcp use a different syntax for specifying remote filenames. In the following sections, we discuss some common Unix programs that invoke the r-commands and how to adapt them to use SSH instead.$ rsh -l jones remote.example.com $ ssh -l jones remote.example.com $ rcp myfile remote.example.com: $ scp myfile remote.example.com:
4.5.1. The /usr/hosts DirectoryThe program rsh has an interesting feature called hostname links. [Section 2.7.3, "Hostname Links"] If you rename the executable from "rsh" to something else, the program treats its new name as a hostname and connects to it by default. For example, if you rename rsh as "petunia," on invocation it executes rsh petunia. The renaming may be done literally or by creating a hard link or symbolic link to rsh:
Some Unix machines have a directory, commonly /usr/hosts, that contains symbolic links to rsh representing various hosts on the local network (or beyond):$ ls -l petunia lrwxrwxrwx 1 root 12 Jan 31 1996 petunia -> /usr/ucb/rsh $ petunia Welcome to petunia! Last login was Wed Oct 6 21:38:14 from rhododendron You have mail.
If you eliminate /usr/ucb/rsh from such a machine, obviously these links become orphaned. Delete them and replace them with links to ssh, perhaps with a shell script like this:$ ls -l /usr/hosts lrwxrwxrwx 1 root 12 Jan 31 1996 lily -> /usr/ucb/rsh lrwxrwxrwx 1 root 12 Jan 31 1996 petunia -> /usr/ucb/rsh lrwxrwxrwx 1 root 12 Jan 31 1996 rhododendron -> /usr/ucb/rsh ...
#!/bin/sh SSH=/usr/local/bin/ssh cd /usr/hosts for file in * do rm -f $file ln -s $SSH $file echo "Linked $file to $SSH" done
4.5.2. Concurrent Version System (CVS)CVS is a version-control system. It maintains a history of changes to sets of files, and helps coordinate the work of multiple people on the same files. It can use rsh to connect to repositories on remote hosts. For example, when you check in a new version of a file:
if the repository is located on a remote machine, CVS may invoke rsh to access the remote repository. For a more secure solution, CVS can run ssh instead of rsh. Of course, the remote machine must be running an SSH server, and if you use public-key authentication, your remote account must contain your key in the appropriate place.$ cvs commit myfile
CVS also has a remote-access method involving its own server, called pserver. This mechanism can be secured using SSH port forwarding instead; see Chapter 9, "Port Forwarding and X Forwarding".To make CVS use ssh, simply set the environment variable CVS_RSH to contain the path to your ssh client:
This approach has one problem: each time you check in a file, the logger's name is the remote account owner, which might not be your own. The problem is solved by manually setting the remote LOGNAME variable using the "environment=" option in your remote authorized_keys file. [Section 220.127.116.11, "Example: CVS and $LOGNAME "]# Bourne shell family # Put in ~/.profile to make permanent. CVS_RSH=/usr/local/bin/ssh export CVS_RSH # C shell family # Put in ~/.login to make permanent. setenv CVS_RSH /usr/local/bin/ssh
4.5.3. GNU EmacsThe Emacs variable remote-shell-program contains the path to any desired program for invoking a remote shell. Simply redefine it to be the full path to your ssh executable. Also, the rlogin package, rlogin.el, defines a variable rlogin-program you can redefine to use slogin.
4.5.4. PineThe Pine mail reader uses rsh to invoke mail-server software on remote machines. For example, it might invoke the IMAP daemon, imapd, on a remote mail server. Another program may be substituted for rsh by changing the value of a Pine configuration variable, rsh-path. This variable holds the name of the program for opening remote shell connections, normally /usr/ucb/rsh. A new value may be assigned in an individual user's Pine configuration file, ~/.pinerc, or in the system-wide Pine configuration file, typically /usr/local/lib/pine.conf. For example:
A second variable, rsh-command, constructs the actual command string to be executed for the remote mail server. The value is a pattern in the style of the C function printf( ). Most likely, you won't need to change the value because both rsh and ssh fit the default pattern, which is:# Set in a Pine configuration file rsh-path=/usr/local/bin/ssh
The first three "%s" pattern substitutions refer to the rsh-path value, the remote hostname, and the remote username. (The fourth forms the remote mail daemon name, which doesn't concern us.) So by default, if your username is alice and the remote mail server is mail.example.com, rsh-command evaluates to:"%s %s -l %s exec /etc/r%sd"
By changing the rsh-path, it becomes instead:/usr/ucb/rsh mail.example.com -l alice ...
As we said, you probably don't need to do anything with rsh-command, but just in case, we've included it for reference. We present a detailed case study of integrating Pine and SSH1 later. [Section 11.3, "Pine, IMAP, and SSH"]/usr/local/bin/ssh mail.example.com -l alice ...
4.5.5. rsync, rdistrsync and rdist are software tools for synchronizing sets of files between different directories on the same machine or on two different hosts. Both can call rsh to connect to a remote host, and both can easily use SSH instead: simply set the RSYNC_RSH for rsync and use the -P option with rdist. rsync with SSH is a particularly simple and effective method to securely maintain remote mirrors of whole directory trees.
Copyright © 2002 O'Reilly & Associates. All rights reserved.