Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
RLOGIND(8)		  BSD System Manager's Manual		    RLOGIND(8)

     rlogind --	remote login server

     rlogind [-alnL]

     rlogind is	the server for the rlogin(1) program.  The server provides a
     remote login facility with	authentication based on	privileged port	num-
     bers from trusted hosts.

     Options supported by rlogind:

     -a	     Ask hostname for verification.

     -l	     Prevent any authentication	based on the user's ".rhosts" file,
	     unless the	user is	logging	in as the superuser.

     -n	     Disable keep-alive	messages.

     -L	     Log all successful	accesses to syslogd(8) as messages.

     rlogind listens for service requests at the port indicated	in the ``lo-
     gin'' service specification; see services(5).  When a service request is
     received the following protocol is	initiated:

     1.	  The server checks the	client's source	port.  If the port is not in
	  the range 512-1023, the server aborts	the connection.

     2.	  The server checks the	client's source	address	and requests the cor-
	  responding host name (see getnameinfo(3), hosts(5) and named(8)).
	  If the hostname cannot be determined,	the dot-notation representa-
	  tion of the host address is used.  If	the hostname is	in the same
	  domain as the	server (according to the last two components of	the
	  domain name),	or if the -a option is given, the addresses for	the
	  hostname are requested, verifying that the name and address corre-
	  spond.  Normal authentication	is bypassed if the address verifica-
	  tion fails.

     Once the source port and address have been	checked, rlogind proceeds with
     the authentication	process	described in rshd(8).  It then allocates a
     pseudo terminal (see pty(4)), and manipulates file	descriptors so that
     the slave half of the pseudo terminal becomes the stdin, stdout, and
     stderr for	a login	process.  The login process is an instance of the
     login(1) program, invoked with the	-f option if authentication has	suc-
     ceeded.  If automatic authentication fails, the user is prompted to log
     in	as if on a standard terminal line.

     The parent	of the login process manipulates the master side of the	pseudo
     terminal, operating as an intermediary between the	login process and the
     client instance of	the rlogin(1) program.	In normal operation, the
     packet protocol described in pty(4) is invoked to provide `^S/^Q' type
     facilities	and propagate interrupt	signals	to the remote programs.	 The
     login process propagates the client terminal's baud rate and terminal
     type, as found in the environment variable, `TERM'; see environ(7).  The
     screen or window size of the terminal is requested	from the client, and
     window size changes from the client are propagated	to the pseudo termi-

     Transport-level keepalive messages	are enabled unless the -n option is
     present.  The use of keepalive messages allows sessions to	be timed out
     if	the client crashes or becomes unreachable.

     At	the end	of a login session, rlogind invokes the	ttyaction(3) facility
     with an action of "rlogind" and user "root" to execute site-specific com-

     All initial diagnostic messages are indicated by a	leading	byte with a
     value of 1, after which any network connections are closed.  If there are
     no	errors before login(1) is invoked, a null byte is returned as in indi-
     cation of success.

     Try again.
	     A fork(2) by the server failed.

     login(1), ruserok(3), ttyaction(3), rshd(8)

     The rlogind command appeared in 4.2BSD.

     The authentication	procedure used here assumes the	integrity of each
     client machine and	the connecting medium.	This is	insecure, but is use-
     ful in an ``open''	environment.

     A facility	to allow all data exchanges to be encrypted should be present.

     A more extensible protocol	should be used.

     rlogind intentionally rejects accesses from IPv4 mapped address on	top of
     AF_INET6 socket, since IPv4 mapped	address	complicates host-address based
     authentication.  If you would like	to accept connections from IPv4	peers,
     you will need to run rlogind on top of AF_INET socket, not	AF_INET6

BSD				 July 17, 2004				   BSD


Want to link to this manual page? Use this URL:

home | help