rlogind(ADMN)

rlogind -- remote login server

Syntax

/etc/rlogind [ -k ] [ -K ] [ -l ] [ -n ] [ -I n ] [ -N n ] [ -S n ] [ -X ]

Description

rlogind is the server for the rlogin(TC) program. The server provides a remote login facility with authentication based on privileged port numbers from trusted hosts. It is started by the ``super server'' inetd, and therefore must have an entry in inetd's configuration file, /etc/inetd.conf (see inetd(ADMN) and inetd.conf(SFF)).

rlogind listens for service requests at the port indicated in the login service specification; see services(SFF). When a service request is received, the following protocol is initiated:

The server checks the client's source port. If the port is not in the range 512-1023, the server aborts the connection.
The server checks the client's source address and requests the corresponding host name (see gethostbyaddr(SLIB), hosts(SFF), and named(ADMN)). If the hostname cannot be determined, the dot-notation representation of the host address is used.

Once the source port and address have been checked, rlogind proceeds with the authentication process described in rshd(ADMN). It then allocates a pseudo terminal and manipulates file descriptors so that the slave half of the pseudo terminal becomes the stdin, stdout, and stderr for a login process. The login process is an instance of the login(M) program, invoked with the -f option if authentication has succeeded. If automatic authentication fails, the user is prompted to log in as if on a standard terminal line. The -l option prevents any authentication based on the user's .rhosts file, unless the user is logging in as root.

The master side of the pseudo-terminal opens the In-Kernel Network Terminal (IKNT) driver, which provides reliable, flow-controlled, two-way transmission of data between the master side of the pseudo-terminal and the underlying transport driver, bypassing the rlogind server. See the iknt(ADMP) manual reference page for a more detailed explanation. Should the IKNT driver link fail, rlogind reverts to manipulating the master side of the pseudo terminal, operating as an intermediary between the login process and the client instance of the rlogin program. Login propagates the client terminal's baud rate and terminal type, as found in the environment variable, TERM; see environ(M).

Keepalives

Transport-level keepalive messages are enabled unless the -n option is present. The use of keepalive messages allows sessions to be timed out if the client crashes or becomes unreachable.

If keepalives are being used, several parameters may be controlled using the following options:

-I n: The argument n specifies the interval (in seconds) between keepalive probes if no response is received.
-N n: The argument n specifies the number of unanswered keepalive probes that will be sent prior to dropping the connection.
-S n: The argument n specifies the time (in seconds) that a connection must be idle before the first keepalive probe will be sent.

The default keepalive values corresponding to these options are controlled by the parameters tcp_keepintvl (75 seconds), tcp_nkeep (8), and tcp_keepidle (7200 seconds). These can be tuned on a system-wide basis using inconfig(ADMN). These options exist solely to provide finer control of keepalives on a per-application basis.

Authenticated rlogin using Kerberos

rlogind listens for service requests at the klogin port (543/tcp) as indicated in the login services specification (see services(SFF)). The klogin port accepts a connection from a remote authenticated rlogin client and attempts to establish authentication.

Authentication takes place between the client program rlogin and the host principal where the rlogind daemon is running, using the network credentials of the user that invoked the client program. The principal name for host machine.subdomain.domain is

   host/machine.subdomain.domain

The machine name must be fully qualified (for example, kvetch.your_company.com). The service key for this host principal is cached in the local Default Service Key Table (/krb5/v5srvtab), and must match the service key stored in the Security Registry.

The following authentication options are supported:

-k

Relaxed authentication mode; if authentication cannot be established, a traditional unauthenticated connection is established.

-K

Strict authentication mode; if authentication fails, the user cannot log in.

-X

Refuse service and print the message:

   rlogind: Authentication is required on host: hostname

To execute rlogind on behalf of remote clients without asking for a password, the user invoking the client must have network credentials, and the user's principal name must appear in the $HOME/.k5login file on the host where rlogind is running (this file must be writable only by the user or by root, and it must be readable by root on the filesystem where it resides).

Diagnostics

All diagnostic messages are returned on the connection associated with the stderr, after which any network connections are closed. An error is indicated by a leading byte with a value of 1.

Try again.: A fork by the server failed.
/bin/sh:...: The user's login shell could not be started.

Limitations

With standard authentication, the procedure used here assumes the integrity of each client machine and the connecting medium. This is insecure, but is useful in an ``open'' environment.

Secure TCP authentication is based on Version 5 of the Kerberos Network Authentication Service protocol. Only this version of the protocol is supported.

Data encryption is not supported.

Files

/etc/inetd.conf: configuration file for inetd
/etc/services: Internet services list
/krb5/v5srvtab: local default service key table
$HOME/.k5login: access control file for the SCO Secure TCP/IP Utilities

Standards conformance

Authenticated rlogind is not part of any currently supported standard. It is an extension of AT&T UNIX System V provided by The Santa Cruz Operation, Inc.

rlogind is conformant with:
RFC 1282