4.5. Replacing R-Commands with SSH
SSH and the
r-commands (
rsh,
rcp,
rlogin) can coexist
peacefully on the same machine. Since the r-commands are insecure,
however, some system administrators prefer to replace them by their
SSH counterparts (
ssh,
scp,
slogin). This replacement has two parts:
- Installing SSH and removing rsh,
rcp, and rlogin; requires some
user retraining
- Modifying other programs or scripts that invoke the r-commands
The r-commands are so similar to their analogous SSH commands, you
might be tempted to rename the SSH commands as the r-commands (e.g.,
rename
ssh as
rsh, etc.). After
all, common commands like these are practically identical in syntax:
$ rsh -l jones remote.example.com
$ ssh -l jones remote.example.com
$ rcp myfile remote.example.com:
$ scp myfile remote.example.com:
Why not just rename? Well, the two sets of programs are incompatible
in some ways. For example, not all versions of
ssh
support the "hostname link" feature of
rsh [
Section 2.7.3, "Hostname Links"], and some old
versions of
rcp use a different syntax for
specifying remote filenames.
In the following sections, we discuss some common Unix programs that
invoke the r-commands and how to adapt them to use SSH instead.
4.5.1. The /usr/hosts Directory
The program
rsh has an interesting feature called
hostname links. [
Section 2.7.3, "Hostname Links"] If you
rename the executable from "rsh" to something else, the
program treats its new name as a hostname and connects to it by
default. For example, if you rename
rsh as
"petunia," on invocation it executes
rsh
petunia. The renaming may be done literally or by creating
a hard link or symbolic link to
rsh:
$ ls -l petunia
lrwxrwxrwx 1 root 12 Jan 31 1996 petunia -> /usr/ucb/rsh
$ petunia
Welcome to petunia!
Last login was Wed Oct 6 21:38:14 from rhododendron
You have mail.
Some Unix machines have a directory, commonly
/usr/hosts, that contains symbolic links to
rsh representing various hosts on the local
network (or beyond):
$ ls -l /usr/hosts
lrwxrwxrwx 1 root 12 Jan 31 1996 lily -> /usr/ucb/rsh
lrwxrwxrwx 1 root 12 Jan 31 1996 petunia -> /usr/ucb/rsh
lrwxrwxrwx 1 root 12 Jan 31 1996 rhododendron -> /usr/ucb/rsh
...
If you eliminate
/usr/ucb/rsh from such a
machine, obviously these links become orphaned. Delete them and
replace them with links to
ssh, perhaps with a
shell script like this:
#!/bin/sh
SSH=/usr/local/bin/ssh
cd /usr/hosts
for file in *
do
rm -f $file
ln -s $SSH $file
echo "Linked $file to $SSH"
done
4.5.2. Concurrent Version System (CVS)
CVS is a
version-control
system. It maintains a history of changes to
sets of files, and helps coordinate the work of multiple people on
the same files. It can use
rsh to connect to
repositories on remote hosts. For example, when you check in a new
version of a file:
$ cvs commit myfile
if the repository is located on a remote machine, CVS may invoke
rsh to access the remote repository. For a more
secure solution, CVS can run
ssh instead of
rsh. Of course, the remote machine must be running
an SSH server, and if you use public-key authentication, your remote
account must contain your key in the appropriate place.
[54]
To make CVS use
ssh, simply set the environment
variable CVS_RSH to contain the path to your
ssh
client:
# Bourne shell family
# Put in ~/.profile to make permanent.
CVS_RSH=/usr/local/bin/ssh
export CVS_RSH
# C shell family
# Put in ~/.login to make permanent.
setenv CVS_RSH /usr/local/bin/ssh
This approach has one problem: each time you check in a file, the
logger's name is the remote account owner, which might not be
your own. The problem is solved by manually setting the remote
LOGNAME variable using the
"environment=" option in your remote
authorized_keys file. [
Section 8.2.6.1, "Example: CVS and $LOGNAME "]
4.5.3. GNU Emacs
The
Emacs variable
remote-shell-program contains the
path to any desired program for invoking a remote shell. Simply
redefine it to be the full path to your
ssh
executable. Also, the
rlogin package,
rlogin.el, defines a variable
rlogin-program you can redefine to
use
slogin.
4.5.4. Pine
The
Pine mail reader uses
rsh
to invoke mail-server software on remote machines. For example, it
might invoke the IMAP daemon,
imapd, on a remote
mail server. Another program may be substituted for
rsh by changing the value of a Pine configuration
variable,
rsh-path. This variable
holds the name of the program for opening remote shell connections,
normally
/usr/ucb/rsh. A new value may be
assigned in an individual user's Pine configuration file,
~/.pinerc, or in the system-wide Pine
configuration file, typically
/usr/local/lib/pine.conf. For example:
# Set in a Pine configuration file
rsh-path=/usr/local/bin/ssh
A second variable,
rsh-command,
constructs the actual command string to be executed for the remote
mail server. The value is a pattern in the style of the C function
printf( ). Most likely, you won't need to
change the value because both
rsh and
ssh fit the default pattern, which is:
"%s %s -l %s exec /etc/r%sd"
The first three "%s" pattern substitutions refer to the
rsh-path value, the remote hostname,
and the remote username. (The fourth forms the remote mail daemon
name, which doesn't concern us.) So by default, if your
username is
alice and the remote mail server is
mail.example.com,
rsh-command evaluates to:
/usr/ucb/rsh mail.example.com -l alice ...
By changing the
rsh-path, it
becomes instead:
/usr/local/bin/ssh mail.example.com -l alice ...
As we said, you probably don't need to do anything with
rsh-command, but just in case,
we've included it for reference. We present a detailed case
study of integrating Pine and SSH1 later. [
Section 11.3, "Pine, IMAP, and SSH"]
4.5.5. rsync, rdist
rsync
and
rdist
are software tools for synchronizing sets of files between different
directories on the same machine or on two different hosts. Both can
call
rsh to connect to a remote host, and both can
easily use SSH instead: simply set the RSYNC_RSH for
rsync and use the
-P option with
rdist.
rsync with SSH is a
particularly simple and effective method to securely maintain remote
mirrors of whole directory trees.
 |  |  |
| 4.4. Software Inventory |  | 4.6. Summary |
