1in.rlogind(1M)          System Administration Commands          in.rlogind(1M)
2
3
4

NAME

6       in.rlogind, rlogind - remote login server
7

SYNOPSIS

9       /usr/sbin/in.rlogind [-k5eExXciPp] [-s tos] [-S keytab]
10            [-M realm]
11
12

DESCRIPTION

14       in.rlogind  is  the  server for the rlogin(1) program.  The server pro‐
15       vides a remote login facility with authentication based on Kerberos  V5
16       or privileged port numbers.
17
18
19       in.rlogind  is  invoked  by inetd(1M) when a remote login connection is
20       established. When Kerberos V5 authentication is required (see option -k
21       below), the authentication sequence is as follows:
22
23           o      Check Kerberos V5 authentication.
24
25           o      Check    authorization    according    to   the   rules   in
26                  krb5_auth_rules(5).
27
28           o      Prompt for a password if any checks fail  and  /etc/pam.conf
29                  is configured to do so.
30
31
32       In  order  for  Kerberos authentication to work, a host/<FQDN> Kerberos
33       principal must exist for each Fully Qualified  Domain  Name  associated
34       with  the  in.rlogind server. Each of these host/<FQDN> principals must
35       have a keytab entry in the /etc/krb5/krb5.keytab file on the in.rlogind
36       server. An example principal might be:
37
38
39       host/bigmachine.eng.example.com
40
41
42       See kadmin(1M) or gkadmin(1M) for instructions on adding a principal to
43       a krb5.keytab file. See  for a discussion of Kerberos authentication.
44
45
46       If Kerberos V5 authentication is not enabled, then  the  authentication
47       procedure follows the standard rlogin protocol:
48
49           o      The  server  checks the client's source port. If the port is
50                  not in the range 512-1023, the server aborts the connection.
51
52           o      The server checks the client's source address. If  an  entry
53                  for    the    client   exists   in   both   /etc/hosts   and
54                  /etc/hosts.equiv, a user logging in from the client  is  not
55                  prompted for a password. If the address is associated with a
56                  host for which no corresponding entry exists in  /etc/hosts,
57                  the  user is prompted for a password, regardless of  whether
58                  or  not  an   entry   for   the   client   is   present   in
59                  /etc/hosts.equiv. See hosts(4) and hosts.equiv(4).
60
61
62       Once  the  source  port and address have been checked, in.rlogind allo‐
63       cates a pseudo-terminal and manipulates file descriptors  so  that  the
64       slave half of the pseudo-terminal becomes the stdin, stdout, and stderr
65       for a login process. The login process is an instance of  the  login(1)
66       program, invoked with the -r.
67
68
69       The  login  process  then  proceeds  with  the pam(3PAM) authentication
70       process. See SECURITY below.  If  automatic  authentication  fails,  it
71       reprompts the user to login.
72
73
74       The  parent  of  the  login  process manipulates the master side of the
75       pseudo-terminal, operating as an intermediary between the login process
76       and  the client instance of the rlogin program.  In normal operation, a
77       packet protocol is invoked to provide Ctrl-S and Ctrl-Q type facilities
78       and  propagate  interrupt  signals  to  the  remote programs. The login
79       process propagates the client terminal's baud rate and  terminal  type,
80       as found in the environment variable, TERM.
81

OPTIONS

83       The following options are supported:
84
85       -5           Same as -k, for backwards compatibility.
86
87
88       -c           Requires  Kerberos  V5  clients to present a cryptographic
89                    checksum of initial connection information like  the  name
90                    of  the  user that the client is  trying  to access in the
91                    initial authenticator. This  checksum  provides  additionl
92                    security  by preventing an attacker from changing the ini‐
93                    tial  connection  information.  This  option  is  mutually
94                    exclusive with the -i option.
95
96
97       -e           Creates an encrypted session.
98
99
100       -E           Same as -e, for backwards compatibility.
101
102
103       -i           Ignores  authenticator  checksums if provided. This option
104                    ignores authenticator checksums presented by current  Ker‐
105                    beros  clients to protect initial connection  information.
106                    Option -i is the opposite of option -c.
107
108
109       -k           Allows Kerberos V5 authentication with the .k5login access
110                    control  file to be trusted. If this authentication system
111                    is used by the  client  and  the  authorization  check  is
112                    passed, then the user is allowed to log in.
113
114
115       -M realm     Uses the indicated Kerberos V5 realm. By default, the dae‐
116                    mon will determine its realm  from  the  settings  in  the
117                    krb5.conf(4) file.
118
119
120       -p           Prompts  for  authentication  only if other authentication
121                    checks fail.
122
123
124       -P           Prompts for a password in addition to other authentication
125                    methods.
126
127
128       -s tos       Sets the IP TOS option.
129
130
131       -S keytab    Sets the KRB5 keytab file to use. The/etc/krb5/krb5.keytab
132                    file is used by default.
133
134
135       -x           Same as -e, for backwards compatibility.
136
137
138       -X           Same as -e, for backwards compatibility.
139
140

USAGE

142       rlogind and in.rlogind are IPv6-enabled. See ip6(7P). IPv6 is not  cur‐
143       rently supported with Kerberos V5 authentication.
144
145
146       Typically, Kerberized rlogin service runs on port 543 (klogin) and Ker‐
147       berized, encrypted rlogin service runs on port 2105 (eklogin). The cor‐
148       responding FMRI entries are:
149
150         svc:/network/login:klogin (rlogin with kerberos)
151         svc:/network/login:eklogin (rlogin with kerberos and encryption)
152
153
154

SECURITY

156       in.rlogind  uses  pam(3PAM) for authentication, account management, and
157       session  management.  The  PAM  configuration  policy,  listed  through
158       /etc/pam.conf, specifies the modules to be used for in.rlogind. Here is
159       a partial pam.conf file with entries for the rlogin command  using  the
160       "rhosts" and UNIX authentication modules, and the UNIX account, session
161       management, and password management modules.
162
163
164
165
166       rlogin   auth sufficient    pam_rhosts_auth.so.1
167       rlogin   auth requisite     pam_authtok_get.so.1
168       rlogin   auth required      pam_dhkeys.so.1
169       rlogin   auth required      pam_unix_auth.so.1
170
171       rlogin   account required   pam_unix_roles.so.1
172       rlogin   account required   pam_unix_projects.so.1
173       rlogin   account required   pam_unix_account.so.1
174
175       rlogin   session required   pam_unix_session.so.1
176
177
178
179       With this configuration, the server checks the client's source address.
180       If   an   entry   for   the   client  exists  in  both  /etc/hosts  and
181       /etc/hosts.equiv, a user logging in from the client is not prompted for
182       a  password. If the address is associated with a host for which no cor‐
183       responding entry exists in /etc/hosts, the user is prompted for a pass‐
184       word,  regardless  of whether or not an entry for the client is present
185       in /etc/hosts.equiv. See hosts(4) and hosts.equiv(4).
186
187
188       When running a Kerberized rlogin service (with or without  the  encryp‐
189       tion option), the pam service name that should be used is "krlogin".
190
191
192       If  there  are  no entries for the rlogin service, then the entries for
193       the "other" service will be used. If  multiple  authentication  modules
194       are  listed,  then  the  user  may  be prompted for multiple passwords.
195       Removing   the   pam_rhosts_auth.so.1   entry    will    disable    the
196       /etc/hosts.equiv  and  ~/.rhosts  authentication  protocol and the user
197       would always be forced to type the password. The sufficient flag  indi‐
198       cates  that  authentication  through the pam_rhosts_auth.so.1 module is
199       sufficient to authenticate the user. Only if this authentication  fails
200       is the next authentication module used.
201

ATTRIBUTES

203       See attributes(5) for descriptions of the following attributes:
204
205
206
207
208       ┌─────────────────────────────┬─────────────────────────────┐
209       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
210       ├─────────────────────────────┼─────────────────────────────┤
211       │Availability                 │SUNWrcmds                    │
212       └─────────────────────────────┴─────────────────────────────┘
213

SEE ALSO

215       login(1),  svcs(1),  rlogin(1),  gkadmin(1M), in.rshd(1M), inetadm(1M),
216       inetd(1M), kadmin(1M), svcadm(1M), pam(3PAM), hosts(4), hosts.equiv(4),
217       krb5.conf(4),       pam.conf(4),       attributes(5),       environ(5),
218       krb5_auth_rules(5), pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
219       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
220       pam_unix_auth(5), pam_unix_session(5), smf(5)
221
222
223
224

DIAGNOSTICS

226       All diagnostic messages are returned on the connection associated  with
227       the stderr, after which any network connections are closed. An error is
228       indicated by a leading byte with a value of 1.
229
230       Hostname for your address unknown.
231
232           No entry in  the  host  name  database  existed  for  the  client's
233           machine.
234
235
236       Try again.
237
238           A fork by the server failed.
239
240
241       /usr/bin/sh: ...
242
243           The user's login shell could not be started.
244
245

NOTES

247       The  authentication  procedure  used here assumes the integrity of each
248       client machine and the connecting medium.  This is insecure, but it  is
249       useful in an ``open'' environment.
250
251
252       A  facility  to  allow  all  data  exchanges  to be encrypted should be
253       present.
254
255
256       The pam_unix(5) module is no longer supported. Similar functionality is
257       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
258       tok_store(5), pam_dhkeys(5),  pam_passwd_auth(5),  pam_unix_account(5),
259       pam_unix_auth(5), and pam_unix_session(5).
260
261
262       The  in.rlogind  service is managed by the service management facility,
263       smf(5), under the service identifier:
264
265         svc:/network/login:rlogin (rlogin)
266         svc:/network/login:klogin (rlogin with kerberos)
267         svc:/network/login:eklogin (rlogin with kerberos and encryption)
268
269
270
271
272       Administrative actions on this service, such as enabling, disabling, or
273       requesting  restart,  can be performed using svcadm(1M). Responsibility
274       for initiating and restarting this service is delegated  to  inetd(1M).
275       Use inetadm(1M) to make configuration changes and to view configuration
276       information for this service. The service's status can be queried using
277       the svcs(1) command.
278
279
280
281SunOS 5.11                        10 Nov 2005                   in.rlogind(1M)
Impressum