Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎

in.rlogind


NAME
     in.rlogind, rlogind - remote login server

SYNOPSIS
     /usr/sbin/in.rlogind [-k5eExXciPp] [-s tos] [-S keytab]  [-M
     realm]

DESCRIPTION
     in.rlogind is the server for  the  rlogin(1)  program.   The
     server  provides a remote login facility with authentication
     based on Kerberos V5 or privileged port numbers.

     in.rlogind is invoked by inetd(1M) when a remote login  con-
     nection  is  established. When Kerberos V5 authentication is
     required (see option -k below), the authentication  sequence
     is as follows:

       o  Check Kerberos V5 authentication.

       o  Check  authorization  according   to   the   rules   in
          krb5_auth_rules(5).

       o  Prompt  for  a  password  if  any   checks   fail   and
          /etc/pam.conf is configured to do so.


     In order for Kerberos authentication to work, a  host/<FQDN>
     Kerberos  principal  must  exist  for  each  Fully Qualified
     Domain Name associated with the in.rlogind server.  Each  of
     these host/<FQDN> principals must have a keytab entry in the
     /etc/krb5/krb5.keytab file  on  the  in.rlogind  server.  An
     example principal might be:

          host/bigmachine.eng.example.com


     See kadmin(1M) or gkadmin(1M) for instructions on  adding  a
     principal  to  a krb5.keytab file. See System Administration
     Guide:  Security  Services  for  a  discussion  of  Kerberos
     authentication.

     If Kerberos V5  authentication  is  not  enabled,  then  the
     authentication  procedure follows the standard rlogin proto-
     col:

       o  The server checks the client's source port. If the port
          is  not  in  the  range 512-1023, the server aborts the
          connection.

       o  The server checks the client's source  address.  If  an
          entry  for  the  client  exists  in both /etc/hosts and
          /etc/hosts.equiv, a user logging in from the client  is
          not  prompted for a password. If the address is associ-
          ated with a  host  for  which  no  corresponding  entry
          exists  in /etc/hosts, the user is prompted for a pass-
          word, regardless of  whether or not an  entry  for  the
          client  is  present  in  /etc/hosts.equiv. See hosts(4)
          and hosts.equiv(4).


     Once  the  source  port  and  address  have  been   checked,
     in.rlogind  allocates a pseudo-terminal and manipulates file
     descriptors so that the slave half  of  the  pseudo-terminal
     becomes  the  stdin, stdout, and stderr for a login process.
     The login process is an instance of  the  login(1)  program,
     invoked with the -r.

     The login process then proceeds with the pam(3PAM) authenti-
     cation  process. See SECURITY below.  If automatic authenti-
     cation fails, it reprompts the user to login.

     The parent of the login process manipulates the master  side
     of the pseudo-terminal, operating as an intermediary between
     the login process and the client instance of the rlogin pro-
     gram.   In normal operation, a packet protocol is invoked to
     provide <Ctrl-S> and <Ctrl-Q> type facilities and  propagate
     interrupt  signals to the remote programs. The login process
     propagates the client  terminal's  baud  rate  and  terminal
     type, as found in the environment variable, TERM.

OPTIONS
     The following options are supported:

     -5              Same as -k, for backwards compatibility.



     -c              Requires Kerberos V5 clients  to  present  a
                     cryptographic checksum of initial connection
                     information like the name of the  user  that
                     the client is  trying  to access in the ini-
                     tial authenticator. This  checksum  provides
                     additionl security by preventing an attacker
                     from changing the initial connection  infor-
                     mation.  This  option  is mutually exclusive
                     with the -i option.



     -e              Creates an encrypted session.




     -E              Same as -e, for backwards compatibility.



     -i              Ignores authenticator checksums if provided.
                     This  option ignores authenticator checksums
                     presented by  current  Kerberos  clients  to
                     protect   initial  connection   information.
                     Option -i is the opposite of option -c.



     -k              Allows Kerberos V5 authentication  with  the
                     .k5login  access control file to be trusted.
                     If this authentication system is used by the
                     client   and   the  authorization  check  is
                     passed, then the user is allowed to log in.



     -M realm        Uses the indicated  Kerberos  V5  realm.  By
                     default, the daemon will determine its realm
                     from the settings in the krb5.conf(4) file.



     -p              Prompts for  authentication  only  if  other
                     authentication checks fail.



     -P              Prompts for a password in addition to  other
                     authentication methods.



     -s tos          Sets the IP TOS option.



     -S keytab       Sets  the   KRB5   keytab   file   to   use.
                     The/etc/krb5/krb5.keytab  file  is  used  by
                     default.



     -x              Same as -e, for backwards compatibility.



     -X              Same as -e, for backwards compatibility.

USAGE
     rlogind and in.rlogind are IPv6-enabled. See  ip6(7P).  IPv6
     is not currently supported with Kerberos V5 authentication.

     Typically, Kerberized rlogin service runs on port 543  (klo-
     gin)  and  Kerberized, encrypted rlogin service runs on port
     2105 (eklogin). The corresponding FMRI entries are:

     svc:/network/login:klogin (rlogin with kerberos)
     svc:/network/login:eklogin (rlogin with kerberos and encryption)

SECURITY
     in.rlogind  uses  pam(3PAM)  for   authentication,   account
     management,  and  session  management. The PAM configuration
     policy, listed through /etc/pam.conf, specifies the  modules
     to  be  used for in.rlogind. Here is a partial pam.conf file
     with entries for the rlogin command using the  "rhosts"  and
     UNIX  authentication  modules, and the UNIX account, session
     management, and password management modules.

     rlogin    auth sufficient    pam_rhosts_auth.so.1
     rlogin    auth requisite     pam_authtok_get.so.1
     rlogin    auth required      pam_dhkeys.so.1
     rlogin    auth required      pam_unix_auth.so.1

     rlogin    account required   pam_unix_roles.so.1
     rlogin    account required   pam_unix_projects.so.1
     rlogin    account required   pam_unix_account.so.1

     rlogin    session required   pam_unix_session.so.1


     With this configuration,  the  server  checks  the  client's
     source  address.  If  an entry for the client exists in both
     /etc/hosts and /etc/hosts.equiv, a user logging in from  the
     client  is  not  prompted  for a password. If the address is
     associated with a host  for  which  no  corresponding  entry
     exists  in  /etc/hosts, the user is prompted for a password,
     regardless of whether or not an  entry  for  the  client  is
     present    in    /etc/hosts.equiv.    See    hosts(4)    and
     hosts.equiv(4).

     When running a Kerberized rlogin service  (with  or  without
     the  encryption option), the pam service name that should be
     used is "krlogin".

     If there are no entries for the  rlogin  service,  then  the
     entries  for  the  "other" service will be used. If multiple
     authentication modules are listed,  then  the  user  may  be
     prompted    for    multiple    passwords.    Removing    the
     pam_rhosts_auth.so.1 entry will disable the /etc/hosts.equiv
     and  ~/.rhosts  authentication  protocol  and the user would
     always be forced to type the password. The  sufficient  flag
     indicates      that      authentication      through     the
     pam_rhosts_auth.so.1 module is  sufficient  to  authenticate
     the  user.  Only  if  this  authentication fails is the next
     authentication module used.

ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWrcmds                   |
    |_____________________________|_____________________________|


SEE ALSO
     login(1),  svcs(1),  rlogin(1),  gkadmin(1M),   in.rshd(1M),
     inetadm(1M),  inetd(1M),  kadmin(1M), svcadm(1M), pam(3PAM),
     hosts(4), hosts.equiv(4), krb5.conf(4), pam.conf(4),  attri-
     butes(5),           environ(5),          krb5_auth_rules(5),
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix_account(5), pam_unix_auth(5),  pam_unix_session(5),
     smf(5)

     System Administration Guide: Security Services

DIAGNOSTICS
     All diagnostic messages are returned on the connection asso-
     ciated  with the stderr, after which any network connections
     are closed. An error is indicated by a leading byte  with  a
     value of 1.

     Hostname for your address unknown.      No entry in the host
                                             name        database
                                             existed   for    the
                                             client's machine.



     Try again.                              A fork by the server
                                             failed.



     /usr/bin/sh: ...                        The   user's   login
                                             shell  could  not be
                                             started.


NOTES
     The authentication procedure used here assumes the integrity
     of  each  client machine and the connecting medium.  This is
     insecure, but it is useful in an ``open'' environment.

     A facility to allow  all  data  exchanges  to  be  encrypted
     should be present.

     The pam_unix(5) module is no longer supported. Similar func-
     tionality     is     provided    by    pam_authtok_check(5),
     pam_authtok_get(5),   pam_authtok_store(5),   pam_dhkeys(5),
     pam_passwd_auth(5),  pam_unix_account(5),  pam_unix_auth(5),
     and pam_unix_session(5).

     The in.rlogind service is managed by the service  management
     facility, smf(5), under the service identifier:

     svc:/network/login:rlogin (rlogin)
     svc:/network/login:klogin (rlogin with kerberos)
     svc:/network/login:eklogin (rlogin with kerberos and encryption)

     Administrative actions on this service,  such  as  enabling,
     disabling,  or  requesting  restart,  can be performed using
     svcadm(1M). Responsibility  for  initiating  and  restarting
     this  service  is delegated to inetd(1M). Use inetadm(1M) to
     make configuration changes and to view configuration  infor-
     mation for this service. The service's status can be queried
     using the svcs(1) command.










Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.
Comments