rlogind - The remote login server
rlogind [-alnxK]
Requests the addresses for the hostname, verifying that
the name and address correspond. Normal authentication is
bypassed if the address verification fails. Prevents
authentication based on the user's $HOME/.rhosts file,
unless the user is logging in as the superuser. Disables
transport-level, keep-alive messages. The messages are
enabled by default. Encrypts the data transmitted between
the local host and the remote host. This option requires
that the local and remote hosts be configured to use Kerberos
authentication in the same or trusting Kerberos
realms.
If the rlogind daemon is started with the -x
option, only connections initiated with the -x
option from a remote host will be accepted. All
communications between the two hosts will be
encrypted. Specifies that only Kerberos authenticated
connections will be accepted. This option
requires that the local and remote hosts be configured
to use Kerberos authentication in the same or
trusting Kerberos realms.
If the rlogind daemon is started with the -K
option, only connections initiated from a host in
the same or trusting Kerberos domain will be
accepted. All communications between the two hosts
will be encrypted.
The rlogind daemon is the server for the rlogin(1) program.
The server provides a remote login facility with
authentication based on privileged port numbers from
trusted hosts.
The rlogind daemon listens for service requests at the
port indicated in the login service specification; see
services(4). When a service request is received, the following
protocol is initiated: The server checks the
client's source port. If the port is not in the range 512
to 1023, the server aborts the connection. The server
checks the client's source address and requests the corresponding
hostname (see gethostbyaddr(3), hosts(4) and
named(8). If the hostname cannot be determined, the dotnotation
representation of the host address is used. If
the hostname is in the same domain as the server (according
to the last two components of the domain name), or if
the -a option is given, the addresses for the hostname are
requested, verifying that the name and address correspond.
Normal authentication is bypassed if the address verification
fails.
Once the source port and address have been checked,
rlogind proceeds with the authentication process described
in rshd(8). It then allocates a pseudoterminal (see
pty(7)), and manipulates file descriptors so that the
slave half of the pseudoterminal becomes the stdin, stdout,
and stderr for a login process. The login process is
an instance of the login(1) program invoked with the -f
option if authentication has succeeded. If automatic
authentication fails, the user is prompted to log in as if
on a standard terminal line. The -l option prevents any
authentication based on the user's file, unless the user
is logging in as the superuser.
By default, the rlogind daemon starts the login dialog
using the login string specified in the message field of
the /etc/gettydefs file. If you want to use a customized
banner, create an /etc/issue.net or /etc/issue file. The
rlogind daemon reads the file that exists and writes its
contents to stdout prior to starting the login dialog. If
both files exist, only the /etc/issue.net file is used.
The parent of the login process manipulates the master
side of the pseudoterminal, operating as an intermediary
between the login process and the client instance of the
rlogin program. In normal operation, the packet protocol
described in pty(7) is invoked to provide<Ctrl-s>/<Ctrl-q>
type facilities and propagate interrupt signals to the
remote programs. The login process propagates the client
terminal's baud rate and terminal type, as found in the
TERM environment variable. The screen or window size of
the terminal is requested from the client, and window size
changes from the client are propagated to the pseudoterminal.
Transport-level, keep-alive messages are enabled unless
the -n option is present. The use of keep-alive messages
allows sessions to be timed out if the client crashes or
becomes unreachable.
All initial diagnostic messages are indicated by a leading
byte with a value of 1 (one), after which any network connections
are closed. If there are no errors before login
is invoked, a null byte is returned as an indication of
success. A fork by the server failed. An attempt was
made to start rlogind using the -K flag without first configuring
the system as part of a Kerberos realm.
Specifies the command path
Commands: login(1)
Daemons: rshd(8)
Files: issue(4), issue.net(4)
Functions: ruserok(3)
rlogind(8)
[ Back ] |