1in.rlogind(1M) System Administration Commands in.rlogind(1M)
2
3
4
6 in.rlogind, rlogind - remote login server
7
9 /usr/sbin/in.rlogind [-k5eExXciPp] [-s tos] [-S keytab]
10 [-M realm]
11
12
14 in.rlogind is the server for the rlogin(1) program. The server pro‐
15 vides a remote login facility with authentication based on Kerberos V5
16 or privileged port numbers.
17
18
19 in.rlogind is invoked by inetd(1M) when a remote login connection is
20 established. When Kerberos V5 authentication is required (see option -k
21 below), the authentication sequence is as follows:
22
23 o Check Kerberos V5 authentication.
24
25 o Check authorization according to the rules in
26 krb5_auth_rules(5).
27
28 o Prompt for a password if any checks fail and /etc/pam.conf
29 is configured to do so.
30
31
32 In order for Kerberos authentication to work, a host/<FQDN> Kerberos
33 principal must exist for each Fully Qualified Domain Name associated
34 with the in.rlogind server. Each of these host/<FQDN> principals must
35 have a keytab entry in the /etc/krb5/krb5.keytab file on the in.rlogind
36 server. An example principal might be:
37
38
39 host/bigmachine.eng.example.com
40
41
42 See kadmin(1M) or gkadmin(1M) for instructions on adding a principal to
43 a krb5.keytab file. See for a discussion of Kerberos authentication.
44
45
46 If Kerberos V5 authentication is not enabled, then the authentication
47 procedure follows the standard rlogin protocol:
48
49 o The server checks the client's source port. If the port is
50 not in the range 512-1023, the server aborts the connection.
51
52 o The server checks the client's source address. If an entry
53 for the client exists in both /etc/hosts and
54 /etc/hosts.equiv, a user logging in from the client is not
55 prompted for a password. If the address is associated with a
56 host for which no corresponding entry exists in /etc/hosts,
57 the user is prompted for a password, regardless of whether
58 or not an entry for the client is present in
59 /etc/hosts.equiv. See hosts(4) and hosts.equiv(4).
60
61
62 Once the source port and address have been checked, in.rlogind allo‐
63 cates a pseudo-terminal and manipulates file descriptors so that the
64 slave half of the pseudo-terminal becomes the stdin, stdout, and stderr
65 for a login process. The login process is an instance of the login(1)
66 program, invoked with the -r.
67
68
69 The login process then proceeds with the pam(3PAM) authentication
70 process. See SECURITY below. If automatic authentication fails, it
71 reprompts the user to login.
72
73
74 The parent of the login process manipulates the master side of the
75 pseudo-terminal, operating as an intermediary between the login process
76 and the client instance of the rlogin program. In normal operation, a
77 packet protocol is invoked to provide Ctrl-S and Ctrl-Q type facilities
78 and propagate interrupt signals to the remote programs. The login
79 process propagates the client terminal's baud rate and terminal type,
80 as found in the environment variable, TERM.
81
83 The following options are supported:
84
85 -5 Same as -k, for backwards compatibility.
86
87
88 -c Requires Kerberos V5 clients to present a cryptographic
89 checksum of initial connection information like the name
90 of the user that the client is trying to access in the
91 initial authenticator. This checksum provides additionl
92 security by preventing an attacker from changing the ini‐
93 tial connection information. This option is mutually
94 exclusive with the -i option.
95
96
97 -e Creates an encrypted session.
98
99
100 -E Same as -e, for backwards compatibility.
101
102
103 -i Ignores authenticator checksums if provided. This option
104 ignores authenticator checksums presented by current Ker‐
105 beros clients to protect initial connection information.
106 Option -i is the opposite of option -c.
107
108
109 -k Allows Kerberos V5 authentication with the .k5login access
110 control file to be trusted. If this authentication system
111 is used by the client and the authorization check is
112 passed, then the user is allowed to log in.
113
114
115 -M realm Uses the indicated Kerberos V5 realm. By default, the dae‐
116 mon will determine its realm from the settings in the
117 krb5.conf(4) file.
118
119
120 -p Prompts for authentication only if other authentication
121 checks fail.
122
123
124 -P Prompts for a password in addition to other authentication
125 methods.
126
127
128 -s tos Sets the IP TOS option.
129
130
131 -S keytab Sets the KRB5 keytab file to use. The/etc/krb5/krb5.keytab
132 file is used by default.
133
134
135 -x Same as -e, for backwards compatibility.
136
137
138 -X Same as -e, for backwards compatibility.
139
140
142 rlogind and in.rlogind are IPv6-enabled. See ip6(7P). IPv6 is not cur‐
143 rently supported with Kerberos V5 authentication.
144
145
146 Typically, Kerberized rlogin service runs on port 543 (klogin) and Ker‐
147 berized, encrypted rlogin service runs on port 2105 (eklogin). The cor‐
148 responding FMRI entries are:
149
150 svc:/network/login:klogin (rlogin with kerberos)
151 svc:/network/login:eklogin (rlogin with kerberos and encryption)
152
153
154
156 in.rlogind uses pam(3PAM) for authentication, account management, and
157 session management. The PAM configuration policy, listed through
158 /etc/pam.conf, specifies the modules to be used for in.rlogind. Here is
159 a partial pam.conf file with entries for the rlogin command using the
160 "rhosts" and UNIX authentication modules, and the UNIX account, session
161 management, and password management modules.
162
163
164
165
166 rlogin auth sufficient pam_rhosts_auth.so.1
167 rlogin auth requisite pam_authtok_get.so.1
168 rlogin auth required pam_dhkeys.so.1
169 rlogin auth required pam_unix_auth.so.1
170
171 rlogin account required pam_unix_roles.so.1
172 rlogin account required pam_unix_projects.so.1
173 rlogin account required pam_unix_account.so.1
174
175 rlogin session required pam_unix_session.so.1
176
177
178
179 With this configuration, the server checks the client's source address.
180 If an entry for the client exists in both /etc/hosts and
181 /etc/hosts.equiv, a user logging in from the client is not prompted for
182 a password. If the address is associated with a host for which no cor‐
183 responding entry exists in /etc/hosts, the user is prompted for a pass‐
184 word, regardless of whether or not an entry for the client is present
185 in /etc/hosts.equiv. See hosts(4) and hosts.equiv(4).
186
187
188 When running a Kerberized rlogin service (with or without the encryp‐
189 tion option), the pam service name that should be used is "krlogin".
190
191
192 If there are no entries for the rlogin service, then the entries for
193 the "other" service will be used. If multiple authentication modules
194 are listed, then the user may be prompted for multiple passwords.
195 Removing the pam_rhosts_auth.so.1 entry will disable the
196 /etc/hosts.equiv and ~/.rhosts authentication protocol and the user
197 would always be forced to type the password. The sufficient flag indi‐
198 cates that authentication through the pam_rhosts_auth.so.1 module is
199 sufficient to authenticate the user. Only if this authentication fails
200 is the next authentication module used.
201
203 See attributes(5) for descriptions of the following attributes:
204
205
206
207
208 ┌─────────────────────────────┬─────────────────────────────┐
209 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
210 ├─────────────────────────────┼─────────────────────────────┤
211 │Availability │SUNWrcmds │
212 └─────────────────────────────┴─────────────────────────────┘
213
215 login(1), svcs(1), rlogin(1), gkadmin(1M), in.rshd(1M), inetadm(1M),
216 inetd(1M), kadmin(1M), svcadm(1M), pam(3PAM), hosts(4), hosts.equiv(4),
217 krb5.conf(4), pam.conf(4), attributes(5), environ(5),
218 krb5_auth_rules(5), pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
219 tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5),
220 pam_unix_auth(5), pam_unix_session(5), smf(5)
221
222
223
224
226 All diagnostic messages are returned on the connection associated with
227 the stderr, after which any network connections are closed. An error is
228 indicated by a leading byte with a value of 1.
229
230 Hostname for your address unknown.
231
232 No entry in the host name database existed for the client's
233 machine.
234
235
236 Try again.
237
238 A fork by the server failed.
239
240
241 /usr/bin/sh: ...
242
243 The user's login shell could not be started.
244
245
247 The authentication procedure used here assumes the integrity of each
248 client machine and the connecting medium. This is insecure, but it is
249 useful in an ``open'' environment.
250
251
252 A facility to allow all data exchanges to be encrypted should be
253 present.
254
255
256 The pam_unix(5) module is no longer supported. Similar functionality is
257 provided by pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
258 tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5),
259 pam_unix_auth(5), and pam_unix_session(5).
260
261
262 The in.rlogind service is managed by the service management facility,
263 smf(5), under the service identifier:
264
265 svc:/network/login:rlogin (rlogin)
266 svc:/network/login:klogin (rlogin with kerberos)
267 svc:/network/login:eklogin (rlogin with kerberos and encryption)
268
269
270
271
272 Administrative actions on this service, such as enabling, disabling, or
273 requesting restart, can be performed using svcadm(1M). Responsibility
274 for initiating and restarting this service is delegated to inetd(1M).
275 Use inetadm(1M) to make configuration changes and to view configuration
276 information for this service. The service's status can be queried using
277 the svcs(1) command.
278
279
280
281SunOS 5.11 10 Nov 2005 in.rlogind(1M)