Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

rlogind(1m) [hpux man page]

rlogind(1M)															       rlogind(1M)

rlogind - remote login server SYNOPSIS
bannerfile] In Kerberos V5 Network Authentication Environments bannerfile] DESCRIPTION
is the server for the program. It provides a remote login facility with two kinds of authentication methods: 1. Authentication based on privileged port numbers where the client's source port must be in the range 512 through 1023. In this case assumes it is operating in normal or non-secure environment. 2. Authentication based on Kerberos V5. In this case assumes it is operating in a Kerberos V5 Network Authentication, that is, secure environment. The daemon invokes if a service request is received at ports indicated by the or services specified in (see inetd(1M) and services(4)). Service requests arriving at the port assume a secure environment and expect Kerberos authentication to take place. To start from the inetd daemon in a non-secure environment, the configuration file must contain an entry as follows: In a secure environment, must contain an entry: The above configuration line will start in mode. To start in mode, the configuration file must contain an entry as follows: Note: For IPv6 applications the protocol has to be changed to See inetd.conf(4) for more information. To prevent non-secure access, the entry for should be commented out in Any non-Kerberos access will be denied since the entry for the port indicated by has now been removed or commented out. In a such a situation, a generic error message, is displayed. See for more details. Options rlogind recognizes the following options: This option is used to prevent any authentication based on the user's file unless the user is logging in as super-user. This option is used in multi-homed NIS systems. It disables from doing a reverse lookup, of the client's IP address; see gethostbyname(3N). It can be used to circumvent an NIS limita- tion with multihomed hosts. This option is used to disable transport-level keepalive messages. Causes the file, bannerfile, to be displayed to incoming rlogin requests. In a secure environment, will recognize the following additional options: Ignore checksum verification. This option is used to achieve interoperability between clients and servers using different checksum calculation methods. For example, the checksum calcu- lation in a application developed with Kerberos V5 Beta 4 API is different from the calculation in a Kerberos V5-1.0 applica- tion. Authorization based on Kerberos V5 must succeed or access will be rejected (see sis(5) for details on authorization). Authentication based on privileged port numbers and authorization of the remote user through equivalent accounts must succeed. For more information on equivalent accounts, see hosts.equiv(4). Either one of the following must succeed. The order in which, the authorization checks are done is as specified below. 1. Authentication based on privileged port numbers and authorization of the remote user through equivalent accounts (see hosts.equiv(4)). 2. Authorization based on Kerberos V5. Either one of the following must succeed. The order in which, the authorization checks are done is as specified below. 1. Authorization based on Kerberos V5. 2. Authentication based on privileged port numbers and authorization of the remote user through equivalent accounts. Note: The option is ignored when used with and the option is ignored when used with Also, if no options are specified, the default option is Operation When a service request is received, the following protocol is initiated by 1. checks the client's source port. If the port is not in a privileged port, that is, in the range 512 through 1023, and is operating in a non-secure environment, the connection is terminated. In a secure environment, the action taken depends on the command line options: The source port must be a privileged port otherwise terminates the connection. If the source port is not a privileged port then Kerberos authorization must succeed or the connection is terminated. The source port must be a privileged port if Kerberos authorization fails. No action is taken. 2. checks the client's source address and requests the corresponding host name (see gethostent(3N), hosts(4), and named(1M)). If it cannot determine the hostname, it uses the Internet dot-notation representation of the host address. 3. in a secure environment, proceeds with the Kerberos authentication process described in sis(5). If authentication succeeds, then the authorization selected by the command line option or is performed. The authorization selected could be as specified in or Kerberos authorization as specified in sis(5). 4. then allocates a STREAMS based pseudo-terminal (see ptm(7) and pts(7)), and manipulates file descriptors so that the slave half of the pseudo-terminal becomes and for a login process. 5. This login process is an instance of invoked with the option if authentication has succeeded. In a non-secure environment, if automatic authentication fails, prompts the user with the normal login sequence. In a secure environment, if authentica- tion fails, generates an error message and quits. The process manipulates the master side of the pseudo-terminal, operating as an intermediary between the login process and the client instance of the program. The protocol described in ptm(7) and pts(7) is used to enable and disable flow control via Ctrl-S/Ctrl-Q under the direction of the program running on the slave side of the pseudo-terminal, and to flush terminal output in response to interrupt sig- nals. The login process sets the baud rate and environment variable to correspond to the client's baud rate and terminal type (see envi- ron(5)). Transport-level keepalive messages are enabled unless the option is present. The use of keepalive messages allows sessions to be timed out if the client crashes or becomes unreachable. EXTERNAL INFLUENCES
International Code Set Support Single and multibyte character code sets are supported. DIAGNOSTICS
Errors in establishing a connection cause an error message to be returned with a leading byte of 1 through the socket connection, after which the network connection is closed. Any errors generated by the login process or its descendents are passed through by the server as normal communication. The server was unable to fork a process to handle the incoming connection. Wait a period of time and try again. If this message persists, the server's host may have runaway processes that are using all the entries in the process table. The server was unable to obtain a pseudo-terminal for use with the login process. Either all pseudo-terminals were in use, or the pty driver has not been properly set up. Note that the number of slave devices that can be allocated depends on NSTRPTY, a kernel tunable parameter. This can be changed via HP SMH (replacement for SAM); see ptm(7) and pts(7). Check the pty configuration of the host where executes. The server denied access because the client was not using a reserved port. This should only happen to interlopers trying to break into the system. The login program could not be started via for the reason indicated. Try to correct the condition causing the problem. If this message persists, contact your system administrator. This generic message could be due to a number of reasons. One of the reasons could be because the entry for login service is not present in This entry may have been removed or commented out to prevent non-secure access. Kerberos specific errors are listed in sis(5). WARNINGS
The integrity of each host and the connecting medium is assumed if the "privileged port" authentication procedure is used in a non-secure environment or if the command line options are used in a secure environment. Although both these methods provide insecure access, they are useful in an "open" environment. This is insecure, but is useful in an "open" environment. Note that all the information, including any passwords, are passed unencrypted between the two hosts when is invoked in a non-secure envi- ronment. AUTHOR
was developed by the University of California, Berkeley. FILES
List of equivalent hosts User's private equivalence list SEE ALSO
login(1), rlogin(1), inetd(1M), named(1M), gethostent(3N), ruserok(3N), hosts(4), hosts.equiv(4), inetd.conf(4), services(4), environ(5), sis(5), pty(7). rlogind(1M)
Man Page

Featured Tech Videos