(Kerberos rsh with v4 ticket forwarding)


krsh [-fhqvVx] [-l username] host command ...


krsh forwards your Kerberos ticket-granting ticket to the machine host using kftgt and then executes command on that system using Kerberos rsh. It assumes that the remote system has aklog, kdestroy, and unlog installed on your default path on the remote system. If kftgt fails with an error indicating that the remote system isn't running kftgtd, the user has no Kerberos v4 ticket cache, or the user has no .klogin file on the remote system, krsh continues anyway (in case Kerberos v5 will work fine). Otherwise, krsh fails if kftgt fails.

Normally it's not necessary to forward one's ticket to execute commands remotely with rsh. The reason for the existence of this wrapper is to facilitate running programs that need to write to disk on a remote system that uses AFS. The commands given to krsh will be wrapped by an execution of aklog before the command to obtain an AFS token from the forwarded ticket and kdestroy and unlog after the command to destroy the forwarded ticket and obtained token.

The host given to krsh is put through a forward and then reverse DNS lookup before being used, to resolve any CNAMEs to their canonical hosts and to handle load-balanced hosts or hosts with multiple A records.

Please note that Kerberos rsh generally will not put your new session in a PAG, which means that any tokens that you get on the remote system will become available to all processes running outside a PAG with that same UID, and the unlog command added to krsh will similarly remove all tokens for all processes outside a PAG with that same UID. This means this command is often not what you want when running commands remotely as root and it may be better to use Kerberos rsh directly.


-f, --noforward

Don't forward tickets to the remote host. This tells krsh not to run kftgt and not pass the -f flag to rsh for K5 ticket forwarding. This option essentially makes krsh function exactly like rsh except with the DNS resolution described above.

-h, --help

Print a summary of options and exit.

-l username, --login=username

Set the username on the remote system to username. This is the user to log in as as well as user to which to forward tickets. If this option is not given, the default will be the username on the local host. This option will often be necessary if the local username differs from the Kerberos principal name, since kftgt and rsh differ on the default otherwise.

-q, --quiet

Tell kftgt to not print out its initial message about forwarding your ticket. Some programs that use rsh are confused by the initial output.

-V, --verbose

Print out each command and the arguments used before it's executed.

-v, --version

Print the version number of klogin and exit.

-x, --encrypt

Encrypt the connection to the remote host. This is not the default because it only works with Kerberos v5 rsh. If the remote system does not have a Kerberos v5 keytab, or if you do not have a Kerberos v5 TGT, this will cause krsh to fail.


Regular rsh options are not accepted and passed to rsh.


krsh was originally written by Larry Schwimmer <>.

Questions and bug reports may be sent to Russ Allbery <>, but please be aware that we only support Stanford affiliates and may not be able to help with problems at other sites.


Copyright 1996, 2001, 2002, 2003, 2005 Board of Trustees, Leland Stanford Jr. University

All rights reserved.

Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.



aklog(1), kdestroy(1), kftgt(1), klogin(1), rsh(1), unlog(1)

Last spun 2014-07-26 from POD modified 2007-06-06