krb5-appl/1112: rsh passing of -x breaks interoperability

[darrenr@chiron.nabaus.com.au]

>Number:         1112
>Category:       krb5-appl
>Synopsis:       rsh passing of -x breaks interoperability
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Tue May 21 21:46:00 EDT 2002
>Last-Modified:
>Originator:     Darren Reed
>Organization:
Optimation
>Release:        krb5-1.2.5
>Environment:
	
System: SunOS chiron 5.5.1 Generic_103640-34 sun4u sparc SUNW,Ultra-2
Architecture: sun4

>Description:
When you invoke the Kerberised version of rsh with the -x command line
parameter, it passes through "-x " at the front of the command line to
the daemon at the other end.  If the other end is also a Kerberised
rsh daemon, the Kerberos session will get created but unless it understands
the "-x ", it will fail to invoke the "real command".

In this case we're working with Kerberos from another vendor and can
see their rshd running commands like this:

bash -c -x who

after executing rsh like this:

rsh -x remote who

Maybe if the docs added this line to the installation of BSD services:

ekshell stream tcp nowait root /usr/local/sbin/kshd kshd -k -c -A -x

and rsh connected to ekshell/tcp for encrypted sessions (-x) then it
would not need to pass -x like this ?

Since we have klogin/eklogin for rlogin, it's kind of curious why there
isn't the same for rsh.
>How-To-Repeat:
See above.
>Fix:
Current work around is to #if-0 out the code which prepends the -x to the
command string passed to the remote rsh daemon and add -x to rshd for kshell
service.  Will also look at implementing above ideas and send patches if
felt of use.  NOTE: no change to krshd is proposed so it should continue to
work with clients that send the -x and those that don't.
>Audit-Trail:
>Unformatted: