rlogind(1M)rlogind(1M)NAMErlogind - remote login server
SYNOPSIS
bannerfile]
In Kerberos V5 Network Authentication Environments
bannerfile]
DESCRIPTION
is the server for the program. It provides a remote login facility
with two kinds of authentication methods:
1. Authentication based on privileged port numbers where the
client's source port must be in the range 512 through
1023. In this case assumes it is operating in normal or
non-secure environment.
2. Authentication based on Kerberos V5. In this case
assumes it is operating in a Kerberos V5 Network Authen‐
tication, that is, secure environment.
The daemon invokes if a service request is received at ports indicated
by the or services specified in (see inetd(1M) and services(4)). Ser‐
vice requests arriving at the port assume a secure environment and
expect Kerberos authentication to take place.
To start from the inetd daemon in a non-secure environment, the config‐
uration file must contain an entry as follows:
In a secure environment, must contain an entry:
The above configuration line will start in mode. To start in mode, the
configuration file must contain an entry as follows:
Note: For IPv6 applications the protocol has to be changed to
See inetd.conf(4) for more information.
To prevent non-secure access, the entry for should be commented out in
Any non-Kerberos access will be denied since the entry for the port
indicated by has now been removed or commented out. In a such a situa‐
tion, a generic error message,
is displayed. See for more details.
Options
rlogind recognizes the following options:
This option is used to prevent any authentication based on the
user's
file unless the user is logging in as super-user.
This option is used in multi-homed NIS systems. It disables
from doing a reverse lookup, of the client's IP address;
see gethostbyname(3N). It can be used to circumvent an
NIS limitation with multihomed hosts.
This option is used to disable transport-level keepalive mes‐
sages.
Causes the file,
bannerfile, to be displayed to incoming rlogin requests.
In a secure environment, will recognize the following additional
options:
Ignore checksum verification. This option is used to achieve
interoperability between clients and servers using dif‐
ferent checksum calculation methods. For example, the
checksum calculation in a application developed with Ker‐
beros V5 Beta 4 API is different from the calculation in
a Kerberos V5-1.0 application.
Authorization based on Kerberos V5 must succeed or access
will be rejected (see sis(5) for details on authoriza‐
tion).
Authentication based on privileged port numbers and
authorization of the remote user through equivalent
accounts must succeed. For more information on equiva‐
lent accounts, see hosts.equiv(4).
Either one of the following must succeed. The order in which,
the
authorization checks are done is as specified below.
1. Authentication based on privileged port numbers
and authorization of the remote user through
equivalent accounts (see hosts.equiv(4)).
2. Authorization based on Kerberos V5.
Either one of the following must succeed. The order in which,
the
authorization checks are done is as specified below.
1. Authorization based on Kerberos V5.
2. Authentication based on privileged port numbers
and authorization of the remote user through
equivalent accounts.
Note: The option is ignored when used with and the option
is ignored when used with Also, if no options are speci‐
fied, the default option is
Operation
When a service request is received, the following protocol is initiated
by
1. checks the client's source port. If the port is not in a
privileged port, that is, in the range 512 through 1023,
and is operating in a non-secure environment, the connec‐
tion is terminated. In a secure environment, the action
taken depends on the command line options:
The source port must be a privileged port otherwise
terminates the connection.
If the source port is not a privileged port then
Kerberos authorization must succeed or the connec‐
tion is terminated.
The source port must be a privileged port if
Kerberos authorization fails.
No action is taken.
2. checks the client's source address and requests the cor‐
responding host name (see gethostent(3N), hosts(4), and
named(1M)). If it cannot determine the hostname, it uses
the Internet dot-notation representation of the host
address.
3. in a secure environment, proceeds with the Kerberos
authentication process described in sis(5). If authenti‐
cation succeeds, then the authorization selected by the
command line option or is performed. The authorization
selected could be as specified in or Kerberos authoriza‐
tion as specified in sis(5).
4. then allocates a STREAMS based pseudo-terminal (see
ptm(7) and pts(7)), and manipulates file descriptors so
that the slave half of the pseudo-terminal becomes and
for a login process.
5. This login process is an instance of invoked with the
option if authentication has succeeded. In a non-secure
environment, if automatic authentication fails, prompts
the user with the normal login sequence. In a secure
environment, if authentication fails, generates an error
message and quits.
The process manipulates the master side of the pseudo-terminal, operat‐
ing as an intermediary between the login process and the client
instance of the program. The protocol described in ptm(7) and pts(7)
is used to enable and disable flow control via Ctrl-S/Ctrl-Q under the
direction of the program running on the slave side of the pseudo-termi‐
nal, and to flush terminal output in response to interrupt signals.
The login process sets the baud rate and environment variable to corre‐
spond to the client's baud rate and terminal type (see environ(5)).
Transport-level keepalive messages are enabled unless the option is
present. The use of keepalive messages allows sessions to be timed out
if the client crashes or becomes unreachable.
EXTERNAL INFLUENCES
International Code Set Support
Single and multibyte character code sets are supported.
DIAGNOSTICS
Errors in establishing a connection cause an error message to be
returned with a leading byte of 1 through the socket connection, after
which the network connection is closed. Any errors generated by the
login process or its descendents are passed through by the server as
normal communication.
The server was unable to fork a process to handle the incoming
connection.
Wait a period of time and try again. If this message
persists, the server's host may have runaway processes
that are using all the entries in the process table.
The server was unable to obtain a pseudo-terminal
for use with the login process. Either all pseudo-termi‐
nals were in use, or the pty driver has not been properly
set up. Note that the number of slave devices that can
be allocated depends on NSTRPTY, a kernel tunable parame‐
ter. This can be changed via HP SMH (replacement for
SAM); see ptm(7) and pts(7).
Check the pty configuration of the host where executes.
The server denied access because the client was not using a
reserved port.
This should only happen to interlopers trying to break
into the system.
The login program could not be started via
for the reason indicated.
Try to correct the condition causing the problem. If
this message persists, contact your system administrator.
This generic message could be due to a number of reasons. One of
the
reasons could be because the entry for login service is
not present in This entry may have been removed or com‐
mented out to prevent non-secure access.
Kerberos specific errors are listed in sis(5).
WARNINGS
The integrity of each host and the connecting medium is assumed if the
"privileged port" authentication procedure is used in a non-secure
environment or if the command line options are used in a secure envi‐
ronment. Although both these methods provide insecure access, they are
useful in an "open" environment. This is insecure, but is useful in an
"open" environment.
Note that all the information, including any passwords, are passed
unencrypted between the two hosts when is invoked in a non-secure envi‐
ronment.
AUTHOR
was developed by the University of California, Berkeley.
FILES
List of equivalent hosts
User's private equivalence list
SEE ALSOlogin(1), rlogin(1), inetd(1M), named(1M), gethostent(3N), ruserok(3N),
hosts(4), hosts.equiv(4), inetd.conf(4), services(4), environ(5),
sis(5), pty(7).
rlogind(1M)