rcp
Legacy remote file copy (unencrypted, obsolete)
By CMD Script Team · 4 min read · Last updated
rcp [OPTIONS] SOURCE... DESTINATIONOptions
| Flag | Description |
|---|---|
-r | Recursively copy directories |
-p | Preserve modification times and modes of the source files |
-a | Use AF_INET6 (IPv6) only, on some implementations |
Distribution compatibility
- Ubuntu (package removed from default install)
- Debian (rsh-client)
- Fedora (rsh package, legacy)
- Arch (AUR only)
- macOS (not installed by default)
What it does
rcp ("remote copy") copies files between hosts using the same trust model as the old
BSD rsh/rlogin tools: it typically relies on .rhosts or /etc/hosts.equiv files
on the remote host to decide whether to allow the copy without a password, and it sends
everything — including any credentials involved — over the network in plain text. It
predates SSH entirely and is considered obsolete and insecure by virtually every modern
security guideline. It's documented here mainly so you can recognize it in legacy
scripts and know what to replace it with.
Beginner examples
rcp file.txt host2:/home/alice/— copy a local file to a directory on a remote hostrcp host2:/etc/hostname ./hostname-backup— copy a remote file to the local machinercp -r ./project host2:/tmp/project— recursively copy a local directory to a remote host
rcp notes.txt host2:/home/alice/notes.txt
Advanced examples
- Copy between two remote hosts from a third machine (if trust is configured):
rcp host1:/data/file host2:/data/file - Preserve file modification times during copy:
rcp -p file.txt host2:/tmp/ - Recursively mirror a directory tree onto another trusted host:
rcp -r ./logs host2:/var/backup/logs
rcp -rp ./configs host2:/etc/app/configs
Common mistakes
- Assuming
rcpbehaves likescpsecurity-wise just because the syntax looks the same — it does not encrypt anything and should never be used across an untrusted network or the public internet. - Relying on
.rhosts/hosts.equivtrust files, which grant password-less access based on hostname/IP and are trivially spoofed on a shared or untrusted network. - Trying to run
rcpon a modern system and finding it's not installed at all — most distributions dropped thersh-client/rsh-serverpackages from default installs years ago. - Leaving old
rcp-based automation (cron jobs, cluster scripts) in place without realizing it's transmitting data in clear text.
Tips
- If you find
rcpin an inherited script, treat it as a signal to audit that system for other insecure r-commands (rsh,rlogin) and modernize the whole workflow. - On most current Linux distributions,
rcpis a symlink toscpprovided for backward-compatible command names — check withtype rcpbefore assuming it's the legacy insecure binary. - If
rcptruly is the legacy tool, the fastest fix is almost always a drop-inscp/rsync -e sshreplacement since the argument syntax (host:path) is nearly identical.
Best practices
- Never enable the legacy
rsh/rcpservices on a network that touches the internet or any untrusted segment. - Migrate any remaining
rcpusage toscpfor single-shot copies orrsync -e sshfor anything recurring or large, since both preserve the familiarhost:pathsyntax. - If you must support legacy hosts that only speak
rcp, isolate them on a dedicated, firewalled management network rather than exposing the service broadly.
Try it yourself
A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.
Real-world use cases
- Recognizing and replacing
rcpcalls found in decades-old shell scripts or cron jobs during a security audit or modernization project. - Understanding historical Unix cluster/HPC tooling that used
rcp-style semantics before SSH-based tools became the default. - Explaining, in an interview or code review, why a found
rcpinvocation is a red flag and what the safe equivalent looks like.
Common interview questions
- Why is rcp considered insecure? It transmits data and any host-trust handshake in
plain text and typically authenticates via
.rhosts/hosts.equiv, which trust a claimed hostname/IP rather than a real credential. - What's the modern replacement for rcp?
scpfor single copies, orrsync -e sshfor repeated/large transfers — both encrypt via SSH and use similarhost:pathsyntax. - Is rcp still installed by default on Linux? No, most modern distributions do not
install the
rsh/rcppackages by default; some shiprcpas a compatibility alias forscpinstead.
Frequently Asked Questions
Is rcp still used today?
Almost never on purpose. rcp is part of the old BSD r-commands family (rlogin, rsh, rcp) and transmits everything, including any authentication handshake, in clear text. Nearly every modern distro ships it disabled or omits it entirely in favor of scp/rsync over SSH.
How is rcp different from scp?
The command syntax looks almost identical (rcp host:file dest), but scp tunnels the copy through an encrypted SSH connection while rcp uses the unencrypted rsh protocol and typically relies on .rhosts-style host trust instead of a real login.
Why would I ever encounter rcp?
Mostly in legacy internal networks, old Unix appliances, or embedded systems that predate SSH being ubiquitous, and in some cluster/HPC job schedulers that historically used rcp-style copy semantics for trusted, isolated networks.
What should I use instead?
Use scp or, better, rsync -e ssh for anything beyond a single file — both give you the same simple syntax with proper encryption and (with rsync) delta transfers.
Cheat sheet
Download a quick-reference cheat sheet for rcp.