rsh
Legacy remote shell/command execution (unencrypted, obsolete)
By CMD Script Team · 4 min read · Last updated
rsh [OPTIONS] host [command]Options
| Flag | Description |
|---|---|
-l | Log in as a specific remote username instead of the local one |
-n | Redirect input from /dev/null, useful when running rsh in the background |
command | A remote command to execute; if omitted, rsh behaves like rlogin and opens an interactive shell |
Distribution compatibility
- Ubuntu (rsh-client, legacy, not installed by default)
- Debian (rsh-client)
- Fedora (rsh package, legacy)
- Arch (AUR only)
- macOS (removed from modern releases)
What it does
rsh ("remote shell") executes a command on a remote host, or opens an interactive
shell if no command is given, using the same unencrypted, host-based trust model as
rlogin. It's one of the classic BSD "r-commands" (alongside rlogin and rcp) that
were the standard way to run remote commands on Unix networks before SSH existed. Like
its siblings, it transmits everything in clear text and can rely on .rhosts/
hosts.equiv trust files instead of real authentication, which is why it's obsolete
and considered a security liability on any network that isn't fully isolated and
trusted.
Beginner examples
rsh host2 uptime— runuptimeonhost2and print the output locallyrsh -l alice host2 'whoami'— run a command as a specific remote userrsh host2— with no command given, opens an interactive remote shell (behaving likerlogin)
rsh host2 df -h
Advanced examples
- Run a command as a specific remote user:
rsh -l svc-account host2 'systemctl status app' - Redirect input from
/dev/nullso a backgrounded rsh job doesn't hang waiting on stdin:rsh -n host2 'backup.sh' & - Chain remote command output directly into a local pipeline:
rsh host2 'cat /var/log/app.log' | grep ERROR
rsh -l svc-account host2 'tail -n 100 /var/log/app.log'
Common mistakes
- Running
rshagainst any host reachable from an untrusted network — its lack of encryption exposes both the command and its output (and any credentials involved) to anyone on the network path. - Relying on
.rhosts/hosts.equivtrust and assuming that's equivalent to real authentication — it trusts a claimed source host/user, which is spoofable. - Confusing
rshwith the Korn/Bourne "restricted shell" mode (also sometimes calledrshas a shell name,/bin/rshsymlinked to a restrictedbash/ksh) — same command name historically, completely different, unrelated tool. - Assuming a modern distro ships
rsh— most don't install thersh-client/rsh-serverpackages by default anymore.
Tips
- If you see
rsh host commandin an old script, the direct modern equivalent isssh host command— the calling convention is nearly identical. - Double-check whether "rsh" in a given context refers to the remote-shell network command or a restricted local shell — the name is genuinely overloaded in Unix history.
- Audit for and remove
.rhosts/hosts.equivfiles alongside anyrshusage found during a security review; they usually go together.
Best practices
- Never enable
rshdon a network segment that isn't fully isolated and trusted end to end. - Replace any remaining
rsh host commandautomation withssh host command, ideally using a dedicated key pair scoped to only the commands that automation needs. - Treat discovery of
rshusage orrshdrunning in production as a security finding requiring remediation, not just a style/modernization nit.
Try it yourself
A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.
Real-world use cases
- Identifying and replacing
rsh-based automation (old cron jobs, cluster job submission scripts) during infrastructure modernization or a security audit. - Historical/educational context when studying the evolution of Unix remote access tools from r-commands to SSH.
- Explaining in an interview why finding
rshdenabled on a host during a penetration test is a critical-severity finding.
Common interview questions
- What's the difference between rsh and rlogin?
rshis built to run a single remote command and exit (falling back to an interactive shell only if no command is given);rloginalways opens an interactive login session. - Why is rsh considered insecure? It transmits everything unencrypted and commonly
authenticates via host-based trust files (
.rhosts/hosts.equiv) rather than a verified credential, making it vulnerable to spoofing and eavesdropping. - What's the direct modern replacement for
rsh host command?ssh host command— same calling convention, but encrypted and with real authentication.
Frequently Asked Questions
Is rsh safe to use today?
No. Like rlogin, rsh sends everything in plain text and typically authenticates via .rhosts/hosts.equiv host-based trust rather than real credentials, so it should not be used on any network you don't fully control and trust.
How is rsh different from rlogin?
rlogin always opens an interactive login shell; rsh is built to run a single remote command non-interactively (rsh host command) and only falls back to an interactive shell if no command is given, similar to how ssh host command works today.
What's the modern replacement for rsh?
ssh host 'command' provides the same one-shot remote command execution, but over an encrypted connection with real authentication instead of host-based trust.
Why would rsh still appear in scripts?
It's part of the classic BSD r-commands suite that predates SSH, so legacy cluster/HPC job schedulers, old cron jobs, and decades-old sysadmin scripts sometimes still reference it even though it's now considered obsolete and insecure.
Cheat sheet
Download a quick-reference cheat sheet for rsh.