Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KLOGIND(8)		    System Manager's Manual		    KLOGIND(8)

       klogind - remote	login server

       klogind	[ -rcpPef ] [[ -w[ip|maxhostlen[,[no]striplocal	]] ] [ -D port
       ] [-L loginpath]

       Klogind is the server for the rlogin(1) program.	 The server  is	 based
       on rlogind(8) but uses Kerberos authentication.

       The klogind server is invoked by	inetd(8) when it receives a connection
       on the port indicated in	/etc/inetd.conf.   A  typical  /etc/inetd.conf
       configuration line for klogind might be:

       klogin stream tcp nowait	root /usr/local/sbin/klogind klogind -e5c

       When  a	service	 request is received, the following protocol is	initi-

       1)     Check authentication.

       2)     Check authorization via the access-control  files	 .k5login  and
	      .klogin in the user's home directory.

       3)     Prompt  for  password  if	 any checks fail and the -p option was

       If the authentication succeeds, login the user by calling the  accompa-
       nying login.krb5.

       klogind allows Kerberos V5 authentication with the .k5login access con-
       trol file to be trusted.	 If this authorization check is	 passed,  then
       the  user  is allowed to	log in.	 If the	user has no .k5login file, the
       login will be authorized	if the results of krb5_aname_to_localname con-
       version matches the account name.  Unless special rules are configured,
       this will be true if and	only if	the Kerberos principal of the connect-
       ing  user  is  in  the  default	local  realm and the principal portion
       matches the account name.

       The configuration of klogind is done by command line  arguments	passed
       by inetd.  The options are:

       -P     Prompt  the  user	 for  a	password.  If the -P option is passed,
	      then the password	is verified in addition	to all other checks.

       -e     Create an	encrypted session.

       -c     Require Kerberos V5 clients to present a cryptographic  checksum
	      of initial connection information	like the name of the user that
	      the client is trying to access  in  the  initial	authenticator.
	      This  checksum  provides additionl security by preventing	an at-
	      tacker from changing the	initial	 connection  information.   If
	      this  option is specified, older Kerberos	V5 clients that	do not
	      send a checksum in the authenticator will	not be able to authen-
	      ticate  to  this server.	This option is mutually	exclusive with
	      the -i option.

		   If neither the -c or	-i options are	specified,then	check-
	      sums  are	 validated if presented.  Since	it is difficult	to re-
	      move a checksum from an authenticator without making the authen-
	      ticator invalid, this default mode is almost as significant of a
	      security improvement as -c if new	clients	are used.  It has  the
	      additional   advantage  of  backwards  compatability  with  some
	      clients.	Unfortunately, clients before Kerberos V5, Beta5, gen-
	      erate  invalid  checksums; if these clients are used, the	-i op-
	      tion must	be used.

       -i     Ignore authenticator checksums if	provided.  This	option	ignore
	      authenticator checksusm presented	by current Kerberos clients to
	      protect initial connection information; it is  the  opposite  of
	      -c.   This option	is provided because some older clients -- par-
	      ticularly	clients	predating the release  of  Kerberos  V5	 Beta5
	      (May  1995) -- present bogus checksums that prevent Kerberos au-
	      thentication from	succeeding in the default mode.

       The parent of the login process manipulates the master side of the pse-
       duo  terminal,  operating  as an	intermediary between the login process
       and the client instance of the rlogin(1)	program.  In normal operation,
       the  packet  protocol  described	 in pty(4) is invoked to provide ^S/^Q
       type facilities and propagate interrupt signals to the remote programs.
       The login process propagates the	client terminal's baud rate and	termi-
       nal type, as found in the environment  variable,	 ``TERM'';  see	 envi-
       ron(7).	 The  screen  or window	size of	the terminal is	requested from
       the client, and window size changes from	the client are	propagated  to
       the pseudo terminal.

       Klogind supports	the following options to control the form of the host-
       name passed to login(1):

       -w [ip|maxhostlen[,[no]striplocal]]
	      Controls the form	of the remote  hostname	 passed	 to  login(1).
	      Specifying  ip  results  in  the numeric IP address always being
	      passed to	login(1).  Specifying a	number,	maxhostlen,  sets  the
	      maximum length of	the hostname passed to login(1)	before it will
	      be passed	as a numeric IP	address.  If maxhostlen	is 0, then the
	      system  default,	as determined by the utmp or utmpx structures,
	      is used.	The nostriplocal and striplocal	options, which must be
	      preceded	by  a comma, control whether or	not the	local host do-
	      main is stripped from the	 remote	 hostname.   By	 default,  the
	      equivalent of striplocal is in effect.

       Klogind supports	five options which are used for	testing	purposes:

       -S keytab Set the keytab	file to	use.

       -M realm	 Set the Kerberos realm	to use.

       -L loginpath
		 Specify  pathname  to an alternative login program.  Default:
		 /usr/bin/login.  KRB5_HOME/sbin/login.krb5 may	be specified.

       -D port	 Run in	standalone mode, listening on port.  The  daemon  will
		 exit after one	connection and will not	background itself.

       -f	 Allows	 for  standalone  daemon  operation.   A  new child is
		 started for each incoming connection and waits	for it to fin-
		 ish before accepting the next connection.  This automagically
		 figures out which port	to bind	to if no port is specified.

       All diagnostic messages are returned on the connection associated  with
       the  stderr,  after which any network connections are closed.  An error
       is indicated by a leading byte with a value of 1.

       ``Try again.''
       A fork by the server failed.

       ``/bin/sh: ...''
       The user's login	shell could not	be started.

       rlogind(8), rlogin(1)

       A more extensible protocol should be used.



Want to link to this manual page? Use this URL:

home | help