Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
in.rlogind(1M)		System Administration Commands		in.rlogind(1M)

       in.rlogind, rlogind - remote login server

       /usr/sbin/in.rlogind [-k5eExXciPp] [-s tos] [-S keytab] [-M realm]

       in.rlogind  is  the  server for the rlogin(1) program.  The server pro-
       vides a remote login facility with authentication based on  Kereros  V5
       or privileged port numbers.

       in.rlogind  is  invoked	by inetd(1M) when a remote login connection is
       established. When Kerberos V5 authentication is required	(see option -k
       below), the authentication sequence is as follows:

	 o  Check Kerberos V5 authentication.

	 o  Check authorization	according to the rules in krb5_auth_rules(5).

	 o  Prompt for a password if any checks	fail and /etc/pam.conf is con-
	    figured to do so.

       If Kerberos V5 authentication is	not enabled, then  the	authentication
       procedure follows the standard rlogin protocol:

	 o  The	 server	checks the client's source port. If the	port is	not in
	    the	range 512-1023,	the server aborts the connection.

	 o  The	server checks the client's source address. If an entry for the
	    client exists in both /etc/hosts and /etc/hosts.equiv, a user log-
	    ging in from the client is not prompted for	a password. If the ad-
	    dress  is  associated with a host for which	no corresponding entry
	    exists in /etc/hosts, the user is prompted for a password, regard-
	    less  of   whether	or  not	 an entry for the client is present in
	    /etc/hosts.equiv. See hosts(4) and hosts.equiv(4).

       Once the	source port and	address	have been  checked,  in.rlogind	 allo-
       cates  a	 pseudo-terminal  and manipulates file descriptors so that the
       slave half of the pseudo-terminal becomes the stdin, stdout, and	stderr
       for  a  login process. The login	process	is an instance of the login(1)
       program,	invoked	with the -r.

       The login process  then	proceeds  with	the  pam(3PAM)	authentication
       process.	See SECURITY below.  If	automatic authentication fails,	it re-
       prompts the user	to login.

       The parent of the login process manipulates  the	 master	 side  of  the
       pseudo-terminal,	operating as an	intermediary between the login process
       and the client instance of the rlogin program.  In normal operation,  a
       packet protocol is invoked to provide <Ctrl-S> and <Ctrl-Q> type	facil-
       ities and propagate interrupt signals to	the remote programs. The login
       process	propagates  the	client terminal's baud rate and	terminal type,
       as found	in the environment variable, TERM. See environ(4).

       The following options are supported:

       -5	       Same as -k, for backwards compatibility.

       -c	       Requires	Kerberos V5 clients to present a cryptographic
		       checksum	 of  initial  connection  information like the
		       name of the user	that the client	is  trying  to	access
		       in  the	initial	 authenticator.	This checksum provides
		       additionl  security  by	preventing  an	attacker  from
		       changing	 the  initial connection information. This op-
		       tion is mutually	exclusive with the -i option.

       -e	       Creates an encrypted session.

       -E	       Same as -e, for backwards compatibility.

       -i	       Ignores authenticator checksums if provided.  This  op-
		       tion  ignores authenticator checksums presented by cur-
		       rent Kerberos clients  to  protect  initial  connection
		       information. Option -i is the opposite of option	-c.

       -k	       Allows Kerberos V5 authentication with the .k5login ac-
		       cess control file to be trusted.	If this	authentication
		       system  is  used	 by  the  client and the authorization
		       check is	passed,	then the user is allowed to log	in.

       -M realm	       Uses the	indicated Kerberos V5 realm. By	 default,  the
		       daemon  will  determine	its realm from the settings in
		       the krb5.conf(4)	file.

       -p	       Prompts for authentication only if other	authentication
		       checks fail.

       -P	       Prompts for a password in addition to other authentica-
		       tion methods.

       -s tos	       Sets the	IP TOS option.

       -S keytab       Sets    the    KRB5     keytab	  file	   to	  use.
		       The/etc/krb5/krb5.keytab	file is	used by	default.

       -x	       Same as -e, for backwards compatibility.

       -X	       Same as -e, for backwards compatibility.

       rlogind	and in.rlogind are IPv6-enabled. See ip6(7P). IPv6 is not cur-
       rently supported	with Kerberos V5 authentication.

       Typically, Kerberized rlogin service runs on port 543 (klogin) and Ker-
       berized,	encrypted rlogin service runs on port 2105 (eklogin). The cor-
       responding FMRI entries are:

       svc:/network/login:klogin (rlogin with kerberos)
       svc:/network/login:eklogin (rlogin with kerberos	and encryption)

       in.rlogind uses pam(3PAM) for authentication, account  management,  and
       session	management.  The  PAM  configuration  policy,  listed  through
       /etc/pam.conf, specifies	the modules to be used for in.rlogind. Here is
       a  partial  pam.conf file with entries for the rlogin command using the
       "rhosts"	and UNIX authentication	modules, and the UNIX account, session
       management, and password	management modules.

       rlogin	 auth sufficient
       rlogin	 auth requisite
       rlogin	 auth required
       rlogin	 auth required

       rlogin	 account required
       rlogin	 account required
       rlogin	 account required

       rlogin	 session required

       With this configuration,	the server checks the client's source address.
       If  an  entry  for  the	client	 exists	  in   both   /etc/hosts   and
       /etc/hosts.equiv, a user	logging	in from	the client is not prompted for
       a password. If the address is associated	with a host for	which no  cor-
       responding entry	exists in /etc/hosts, the user is prompted for a pass-
       word, regardless	of whether or not an entry for the client  is  present
       in /etc/hosts.equiv. See	hosts(4) and hosts.equiv(4).

       When  running  a	Kerberized rlogin service (with	or without the encryp-
       tion option), the pam service name that should be used is "krlogin".

       If there	are no entries for the rlogin service, then  the  entries  for
       the  "other"  service  will be used. If multiple	authentication modules
       are listed, then	the user may be	prompted for multiple  passwords.  Re-
       moving	 the	""	  entry	  will	 disable   the
       /etc/hosts.equiv	and ~/.rhosts authentication  protocol	and  the  user
       would  always be	forced to type the password. The sufficient flag indi-
       cates that authentication through the  module  is
       "sufficient"  to	 authenticate  the  user.  Only	if this	authentication
       fails is	the next authentication	module used.

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWrcmds			   |

       login(1), svcs(1), rlogin(1), in.rshd(1M), inetadm(1M), inetd(1M),  sv-
       cadm(1M),     pam(3PAM),	   environ(4),	  hosts(4),    hosts.equiv(4),
       krb5.conf(4), pam.conf(4), attributes(5), krb5_auth_rules(5), pam_auth-
       tok_check(5),  pam_authtok_get(5), pam_authtok_store(5),	pam_dhkeys(5),
       pam_passwd_auth(5),	 pam_unix_account(5),	     pam_unix_auth(5),
       pam_unix_session(5), smf(5)

       All  diagnostic messages	are returned on	the connection associated with
       the stderr, after which any network connections are closed. An error is
       indicated by a leading byte with	a value	of 1.

       Hostname	for your address unknown.      No entry	in the host name data-
					       base existed for	 the  client's

       Try again.			       A fork by the server failed.

       /usr/bin/sh: ...			       The  user's  login  shell could
					       not be started.

       The authentication procedure used here assumes the  integrity  of  each
       client  machine and the connecting medium.  This	is insecure, but it is
       useful in an ``open'' environment.

       A facility to allow all	data  exchanges	 to  be	 encrypted  should  be

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided	  by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth-
       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).

       The in.rlogind service is managed by the	service	 management  facility,
       smf(5), under the service identifier:

       svc:/network/login:rlogin (rlogin)
       svc:/network/login:klogin (rlogin with kerberos)
       svc:/network/login:eklogin (rlogin with kerberos	and encryption)

       Administrative actions on this service, such as enabling, disabling, or
       requesting restart, can be performed using  svcadm(1M).	Responsibility
       for  initiating	and restarting this service is delegated to inetd(1M).
       Use inetadm(1M) to make configuration changes and to view configuration
       information for this service. The service's status can be queried using
       the svcs(1) command.

SunOS 5.10			  4 Aug	2004			in.rlogind(1M)


Want to link to this manual page? Use this URL:

home | help