hpux man page for rlogind

rlogind(1M)															       rlogind(1M)

NAME
       rlogind - remote login server

SYNOPSIS
       bannerfile]

   In Kerberos V5 Network Authentication Environments
       bannerfile]

DESCRIPTION
       is the server for the program.  It provides a remote login facility with two kinds of authentication methods:

	      1.     Authentication  based  on	privileged  port numbers where the client's source port must be in the range 512 through 1023.	In
		     this case assumes it is operating in normal or non-secure environment.

	      2.     Authentication based on Kerberos V5.  In this case assumes it is operating in a Kerberos V5 Network Authentication, that  is,
		     secure environment.

       The  daemon  invokes  if  a service request is received at ports indicated by the or services specified in (see inetd(1M) and services(4)).
       Service requests arriving at the port assume a secure environment and expect Kerberos authentication to take place.

       To start from the inetd daemon in a non-secure environment, the configuration file must contain an entry as follows:

       In a secure environment, must contain an entry:

       The above configuration line will start in mode.  To start in mode, the configuration file must contain an entry as follows:

	      Note: For IPv6 applications the protocol has to be changed to See inetd.conf(4) for more information.

       To prevent non-secure access, the entry for should be commented out in Any non-Kerberos access will be denied since the entry for the  port
       indicated by has now been removed or commented out.  In a such a situation, a generic error message,

       is displayed.  See for more details.

   Options
       rlogind recognizes the following options:

	      This option is used to prevent any authentication based on the user's
		     file unless the user is logging in as super-user.

	      This option is used in multi-homed NIS systems.  It disables
		     from  doing a reverse lookup, of the client's IP address; see gethostbyname(3N).  It can be used to circumvent an NIS limita-
		     tion with multihomed hosts.

	      This option is used to disable transport-level keepalive messages.

	      Causes the file,
		     bannerfile, to be displayed to incoming rlogin requests.

       In a secure environment, will recognize the following additional options:

	      Ignore checksum verification.  This option is used to achieve
		     interoperability between clients and servers using different checksum calculation methods.  For example, the checksum  calcu-
		     lation in a application developed with Kerberos V5 Beta 4 API is different from the calculation in a Kerberos V5-1.0 applica-
		     tion.

	      Authorization based on Kerberos V5 must succeed or access
		     will be rejected (see sis(5) for details on authorization).

	      Authentication based on privileged port numbers and
		     authorization of the remote user through equivalent accounts must succeed.  For more information on equivalent accounts,  see
		     hosts.equiv(4).

	      Either one of the following must succeed.  The order in which, the
		     authorization checks are done is as specified below.

		     1.     Authentication  based on privileged port numbers and authorization of the remote user through equivalent accounts (see
			    hosts.equiv(4)).

		     2.     Authorization based on Kerberos V5.

	      Either one of the following must succeed.  The order in which, the
		     authorization checks are done is as specified below.

		     1.     Authorization based on Kerberos V5.

		     2.     Authentication based on privileged port numbers and authorization of the remote user through equivalent accounts.

		     Note: The option is ignored when used with and the option is ignored when used with Also, if no options  are  specified,  the
		     default option is

   Operation
       When a service request is received, the following protocol is initiated by

	      1.     checks  the  client's  source  port.  If the port is not in a privileged port, that is, in the range 512 through 1023, and is
		     operating in a non-secure environment, the connection is terminated.  In a secure environment, the action	taken  depends	on
		     the command line options:

		     The source port must be a privileged port otherwise
			    terminates the connection.

		     If the source port is not a privileged port then
			    Kerberos authorization must succeed or the connection is terminated.

		     The source port must be a privileged port if
			    Kerberos authorization fails.

		     No action is taken.

	      2.     checks  the  client's  source address and requests the corresponding host name (see gethostent(3N), hosts(4), and named(1M)).
		     If it cannot determine the hostname, it uses the Internet dot-notation representation of the host address.

	      3.     in a secure environment, proceeds with the Kerberos authentication process described in sis(5).  If authentication  succeeds,
		     then the authorization selected by the command line option or is performed.  The authorization selected could be as specified
		     in or Kerberos authorization as specified in sis(5).

	      4.     then allocates a STREAMS based pseudo-terminal (see ptm(7) and pts(7)), and manipulates file descriptors so  that	the  slave
		     half of the pseudo-terminal becomes and for a login process.

	      5.     This  login  process is an instance of invoked with the option if authentication has succeeded.  In a non-secure environment,
		     if automatic authentication fails, prompts the user with the normal login sequence.  In a secure environment, if  authentica-
		     tion fails, generates an error message and quits.

       The  process  manipulates  the  master  side  of the pseudo-terminal, operating as an intermediary between the login process and the client
       instance of the program.  The protocol described in ptm(7) and pts(7) is used to enable and disable flow control  via  Ctrl-S/Ctrl-Q  under
       the  direction  of the program running on the slave side of the pseudo-terminal, and to flush terminal output in response to interrupt sig-
       nals.  The login process sets the baud rate and environment variable to correspond to the client's baud rate and terminal type  (see  envi-
       ron(5)).

       Transport-level keepalive messages are enabled unless the option is present.  The use of keepalive messages allows sessions to be timed out
       if the client crashes or becomes unreachable.

EXTERNAL INFLUENCES
   International Code Set Support
       Single and multibyte character code sets are supported.

DIAGNOSTICS
       Errors in establishing a connection cause an error message to be returned with a leading byte of 1 through  the	socket	connection,  after
       which  the  network connection is closed.  Any errors generated by the login process or its descendents are passed through by the server as
       normal communication.

	      The server was unable to fork a process to handle the incoming connection.

		     Wait a period of time and try again.  If this message persists, the server's host may have runaway processes that	are  using
		     all the entries in the process table.

	      The server was unable to obtain a pseudo-terminal
		     for  use  with  the  login process.  Either all pseudo-terminals were in use, or the pty driver has not been properly set up.
		     Note that the number of slave devices that can be allocated depends on NSTRPTY, a kernel  tunable	parameter.   This  can	be
		     changed via HP SMH (replacement for SAM); see ptm(7) and pts(7).

		     Check the pty configuration of the host where executes.

	      The server denied access because the client was not using a reserved port.
		     This should only happen to interlopers trying to break into the system.

	      The login program could not be started via
		     for the reason indicated.

		     Try to correct the condition causing the problem.	If this message persists, contact your system administrator.

	      This generic message could be due to a number of reasons. One of the
		     reasons  could  be because the entry for login service is not present in This entry may have been removed or commented out to
		     prevent non-secure access.

       Kerberos specific errors are listed in sis(5).

WARNINGS
       The integrity of each host and the connecting medium is assumed if the "privileged port" authentication procedure is used in  a	non-secure
       environment or if the command line options are used in a secure environment.  Although both these methods provide insecure access, they are
       useful in an "open" environment.  This is insecure, but is useful in an "open" environment.

       Note that all the information, including any passwords, are passed unencrypted between the two hosts when is invoked in a non-secure  envi-
       ronment.

AUTHOR
       was developed by the University of California, Berkeley.

FILES
       List of equivalent hosts
       User's private equivalence list

SEE ALSO
       login(1),  rlogin(1),  inetd(1M), named(1M), gethostent(3N), ruserok(3N), hosts(4), hosts.equiv(4), inetd.conf(4), services(4), environ(5),
       sis(5), pty(7).

																       rlogind(1M)