Remote Execution

Guideline: Start of change

It is suggested not enabling the TSO Remote Execution server. The RSH and REXEC protocols transfer user ID and password information in the clear (without encryption). There is also the potential of weak authentication for RSH clients using RHOSTS.DATA datasets. This authentication method allows remote command execution without requiring the RSH client to supply a password. IBM Health Checker for z/OS can be used to check whether the TSO Remote Execution server (called MVRSHD) is active and detect an RSH client attempting to use an RHOSTS.DATA dataset for authentication. For more details about IBM Health Checker, see IBM Health Checker for z/OS: User's Guide. End of change

This topic describes how to configure and operate both the Remote Execution server and the UNIX Remote Execution server. z/OS® Communications Server supports remote execution daemons in both the UNIX and TSO environments.

To execute commands under the UNIX shell, use the RSH command. To execute commands under TSO, use the REXEC command. These requests are serviced by the UNIX daemons, orshd and orexecd, and the TSO RXSERVE daemon.

The differences between the UNIX daemons and the TSO RXSERVE daemon are as follows:

The UNIX daemons are initiated through the INETD server and can be configured to support a port other than their well-known port.
The TSO daemon must be active and will service REXEC and RSH requests only on their well-known ports.

Only the UNIX daemons or the TSO daemon can be active at any one time.