>_cmd.script

rcp

Legacy remote file copy (unencrypted, obsolete)

Networking

By CMD Script Team · 4 min read · Last updated

SYNTAX
rcp [OPTIONS] SOURCE... DESTINATION

Options

Command options and flags
FlagDescription
-rRecursively copy directories
-pPreserve modification times and modes of the source files
-aUse AF_INET6 (IPv6) only, on some implementations

Distribution compatibility

  • Ubuntu (package removed from default install)
  • Debian (rsh-client)
  • Fedora (rsh package, legacy)
  • Arch (AUR only)
  • macOS (not installed by default)

What it does

rcp ("remote copy") copies files between hosts using the same trust model as the old BSD rsh/rlogin tools: it typically relies on .rhosts or /etc/hosts.equiv files on the remote host to decide whether to allow the copy without a password, and it sends everything — including any credentials involved — over the network in plain text. It predates SSH entirely and is considered obsolete and insecure by virtually every modern security guideline. It's documented here mainly so you can recognize it in legacy scripts and know what to replace it with.

Beginner examples

  • rcp file.txt host2:/home/alice/ — copy a local file to a directory on a remote host
  • rcp host2:/etc/hostname ./hostname-backup — copy a remote file to the local machine
  • rcp -r ./project host2:/tmp/project — recursively copy a local directory to a remote host
rcp notes.txt host2:/home/alice/notes.txt

Advanced examples

  • Copy between two remote hosts from a third machine (if trust is configured): rcp host1:/data/file host2:/data/file
  • Preserve file modification times during copy: rcp -p file.txt host2:/tmp/
  • Recursively mirror a directory tree onto another trusted host: rcp -r ./logs host2:/var/backup/logs
rcp -rp ./configs host2:/etc/app/configs

Common mistakes

  • Assuming rcp behaves like scp security-wise just because the syntax looks the same — it does not encrypt anything and should never be used across an untrusted network or the public internet.
  • Relying on .rhosts/hosts.equiv trust files, which grant password-less access based on hostname/IP and are trivially spoofed on a shared or untrusted network.
  • Trying to run rcp on a modern system and finding it's not installed at all — most distributions dropped the rsh-client/rsh-server packages from default installs years ago.
  • Leaving old rcp-based automation (cron jobs, cluster scripts) in place without realizing it's transmitting data in clear text.

Tips

  • If you find rcp in an inherited script, treat it as a signal to audit that system for other insecure r-commands (rsh, rlogin) and modernize the whole workflow.
  • On most current Linux distributions, rcp is a symlink to scp provided for backward-compatible command names — check with type rcp before assuming it's the legacy insecure binary.
  • If rcp truly is the legacy tool, the fastest fix is almost always a drop-in scp/rsync -e ssh replacement since the argument syntax (host:path) is nearly identical.

Best practices

  • Never enable the legacy rsh/rcp services on a network that touches the internet or any untrusted segment.
  • Migrate any remaining rcp usage to scp for single-shot copies or rsync -e ssh for anything recurring or large, since both preserve the familiar host:path syntax.
  • If you must support legacy hosts that only speak rcp, isolate them on a dedicated, firewalled management network rather than exposing the service broadly.

Try it yourself

A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.

Real-world use cases

  • Recognizing and replacing rcp calls found in decades-old shell scripts or cron jobs during a security audit or modernization project.
  • Understanding historical Unix cluster/HPC tooling that used rcp-style semantics before SSH-based tools became the default.
  • Explaining, in an interview or code review, why a found rcp invocation is a red flag and what the safe equivalent looks like.

Common interview questions

  • Why is rcp considered insecure? It transmits data and any host-trust handshake in plain text and typically authenticates via .rhosts/hosts.equiv, which trust a claimed hostname/IP rather than a real credential.
  • What's the modern replacement for rcp? scp for single copies, or rsync -e ssh for repeated/large transfers — both encrypt via SSH and use similar host:path syntax.
  • Is rcp still installed by default on Linux? No, most modern distributions do not install the rsh/rcp packages by default; some ship rcp as a compatibility alias for scp instead.

Frequently Asked Questions

Is rcp still used today?

Almost never on purpose. rcp is part of the old BSD r-commands family (rlogin, rsh, rcp) and transmits everything, including any authentication handshake, in clear text. Nearly every modern distro ships it disabled or omits it entirely in favor of scp/rsync over SSH.

How is rcp different from scp?

The command syntax looks almost identical (rcp host:file dest), but scp tunnels the copy through an encrypted SSH connection while rcp uses the unencrypted rsh protocol and typically relies on .rhosts-style host trust instead of a real login.

Why would I ever encounter rcp?

Mostly in legacy internal networks, old Unix appliances, or embedded systems that predate SSH being ubiquitous, and in some cluster/HPC job schedulers that historically used rcp-style copy semantics for trusted, isolated networks.

What should I use instead?

Use scp or, better, rsync -e ssh for anything beyond a single file — both give you the same simple syntax with proper encryption and (with rsync) delta transfers.

Cheat sheet

Download a quick-reference cheat sheet for rcp.