Table of Contents


SSLrsh - SSL remote shell


SSLrsh [-envq] [-l username] [-p port] [-z sslopt] host [command]


SSLrsh executes command on host using the Secure Socket Layer (SSL) transport. Unlike rsh authentication is by means of digitally signed X509 certificates.

SSLrsh copies its standard input to the remote command, the standard output of the remote command to its standard output. The stderr is sent to stdout if the -e flag is given or a proxy is being used. If a separate channel is available for stderr, interrupt, quit and terminate signals cause shutdown of the connection. SSLrsh normally terminates when the remote command does. The options are as follows:

Turns off use of 2nd channel for stderr.
By default, the remote username is the same as the local username. The -l option allows the remote name to be specified.
The -n option redirects input from the special device /dev/null (see the BUGS section of this manual page).
-p port
Connect to port rather than the sshell service.
Suppresses the verbage caused by the -v flag.
By default we do not request a certificate from the server. The -v flag causes a server certificate to be requested and verified.
The -z flag is the same as in SSLtelnet. It takes values like cert=file, key=file and verify=n. The -v flag above is equivalent to -z verify=3. By default SSLrsh looks for its certificate file via the environment variable SSL_CERT.

If -z proxy=url is given or one of the environment variables sshell_proxy,https_proxy,http_proxy is set, then ssl_rcmd(3) will connect to the HTTP proxy described by the url and ask it to connect to host. See ssl_rcmd(3) for details.

If the certificate requires a password, SSLrsh defers asking for it until a successful connection is established with the server.

Shell metacharacters which are not quoted are interpreted on local machine, while quoted metacharacters are interpreted on the remote machine. For example, the command

SSLrsh otherhost cat remotefile >> localfile

appends the remote file remotefile to the local file localfile, while

SSLrsh otherhost cat remotefile «>>» other_remotefile

appends remotefile to other_remotefile.




rsh(1), ssl_rcmd(3), SSLrshd(8)


The rsh command appeared in 4.2BSD.

SSLrsh was derrived from the 4.4BSD rsh(1) by Simon J. Gerraty.

The SSL implementation used is SSLeay by Eric Young <> via sjg's libsslfd.


If you are using csh(1) and put an SSLrsh in the background without redirecting its input away from the terminal, it will block even if no reads are posted by the remote command. If no input is desired you should redirect the input of SSLrsh to /dev/null using the -n option.

You cannot run an interactive command (like rogue(6) or vi(1)) using SSLrsh.

Stop signals stop the local SSLrsh process only; this is arguably wrong, but currently hard to fix for reasons too complicated to explain here.


Simon J. Gerraty <>

Table of Contents