2 .\" Copyright 1989 AT&T
3 .\" Copyright (C) 2005, Sun Microsystems, Inc. All Rights Reserved
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH IN.RLOGIND 1M "Nov 10, 2005"
9 in.rlogind, rlogind \- remote login server
13 \fB/usr/sbin/in.rlogind\fR [\fB-k5eExXciPp\fR] [\fB-s\fR \fItos\fR] [\fB-S\fR \fIkeytab\fR]
14 [\fB-M\fR \fIrealm\fR]
20 \fBin.rlogind\fR is the server for the \fBrlogin\fR(1) program. The server
21 provides a remote login facility with authentication based on Kerberos V5 or
22 privileged port numbers.
25 \fBin.rlogind\fR is invoked by \fBinetd\fR(1M) when a remote login connection
26 is established. When Kerberos V5 authentication is required (see option
27 \fB-k\fR below), the authentication sequence is as follows:
32 Check Kerberos V5 authentication.
38 Check authorization according to the rules in \fBkrb5_auth_rules\fR(5).
44 Prompt for a password if any checks fail and \fB/etc/pam.conf\fR is configured
49 In order for Kerberos authentication to work, a \fBhost/\fR\fI<FQDN>\fR
50 Kerberos principal must exist for each Fully Qualified Domain Name associated
51 with the \fBin.rlogind\fR server. Each of these \fBhost/\fR\fI<FQDN>\fR
52 principals must have a \fBkeytab\fR entry in the \fB/etc/krb5/krb5.keytab\fR
53 file on the \fBin.rlogind\fR server. An example principal might be:
56 \fBhost/bigmachine.eng.example.com\fR
59 See \fBkadmin\fR(1M) or \fBgkadmin\fR(1M) for instructions on adding a
60 principal to a \fBkrb5.keytab\fR file. See \fI\fR for a discussion of Kerberos
64 If Kerberos V5 authentication is not enabled, then the authentication procedure
65 follows the standard \fBrlogin\fR protocol:
70 The server checks the client's source port. If the port is not in the range
71 512-1023, the server aborts the connection.
77 The server checks the client's source address. If an entry for the client
78 exists in both \fB/etc/hosts\fR and \fB/etc/hosts.equiv\fR, a user logging in
79 from the client is not prompted for a password. If the address is associated
80 with a host for which no corresponding entry exists in \fB/etc/hosts\fR, the
81 user is prompted for a password, regardless of whether or not an entry for the
82 client is present in \fB/etc/hosts.equiv\fR. See \fBhosts\fR(4) and
87 Once the source port and address have been checked, \fBin.rlogind\fR allocates
88 a pseudo-terminal and manipulates file descriptors so that the slave half of
89 the pseudo-terminal becomes the \fBstdin\fR, \fBstdout\fR, and \fBstderr\fR for
90 a login process. The login process is an instance of the \fBlogin\fR(1)
91 program, invoked with the \fB-r\fR.
94 The login process then proceeds with the \fBpam\fR(3PAM) authentication
95 process. See \fBSECURITY\fR below. If automatic authentication fails, it
96 reprompts the user to login.
99 The parent of the login process manipulates the master side of the
100 pseudo-terminal, operating as an intermediary between the login process and the
101 client instance of the \fBrlogin\fR program. In normal operation, a packet
102 protocol is invoked to provide Ctrl-S and Ctrl-Q type facilities and propagate
103 interrupt signals to the remote programs. The login process propagates the
104 client terminal's baud rate and terminal type, as found in the environment
105 variable, \fBTERM\fR.
109 The following options are supported:
116 Same as \fB-k\fR, for backwards compatibility.
125 Requires Kerberos V5 clients to present a cryptographic checksum of initial
126 connection information like the name of the user that the client is trying to
127 access in the initial authenticator. This checksum provides additionl security
128 by preventing an attacker from changing the initial connection information.
129 This option is mutually exclusive with the \fB-i\fR option.
138 Creates an encrypted session.
147 Same as \fB-e\fR, for backwards compatibility.
156 Ignores authenticator checksums if provided. This option ignores authenticator
157 checksums presented by current Kerberos clients to protect initial connection
158 information. Option \fB-i\fR is the opposite of option \fB-c\fR.
167 Allows Kerberos V5 authentication with the \fB\&.k5login\fR access control file
168 to be trusted. If this authentication system is used by the client and the
169 authorization check is passed, then the user is allowed to log in.
175 \fB\fB-M\fR \fIrealm\fR\fR
178 Uses the indicated Kerberos V5 realm. By default, the daemon will determine its
179 realm from the settings in the \fBkrb5.conf\fR(4) file.
188 Prompts for authentication only if other authentication checks fail.
197 Prompts for a password in addition to other authentication methods.
203 \fB\fB-s\fR \fItos\fR\fR
206 Sets the \fBIP\fR \fBTOS\fR option.
212 \fB\fB-S\fR \fIkeytab\fR\fR
215 Sets the \fBKRB5\fR keytab file to use. The\fB/etc/krb5/krb5.keytab\fR file is
225 Same as \fB-e\fR, for backwards compatibility.
234 Same as \fB-e\fR, for backwards compatibility.
240 \fBrlogind\fR and \fBin.rlogind\fR are IPv6-enabled. See \fBip6\fR(7P).
241 \fBIPv6\fR is not currently supported with Kerberos V5 authentication.
244 Typically, Kerberized \fBrlogin\fR service runs on port 543 (klogin) and
245 Kerberized, encrypted \fBrlogin\fR service runs on port 2105 (eklogin). The
246 corresponding FMRI entries are:
250 svc:/network/login:klogin (rlogin with kerberos)
251 svc:/network/login:eklogin (rlogin with kerberos and encryption)
259 \fBin.rlogind\fR uses \fBpam\fR(3PAM) for authentication, account management,
260 and session management. The \fBPAM\fR configuration policy, listed through
261 \fB/etc/pam.conf\fR, specifies the modules to be used for \fBin.rlogind\fR.
262 Here is a partial \fBpam.conf\fR file with entries for the \fBrlogin\fR command
263 using the "rhosts" and UNIX authentication modules, and the UNIX account,
264 session management, and password management modules.
271 rlogin auth sufficient pam_rhosts_auth.so.1
272 rlogin auth requisite pam_authtok_get.so.1
273 rlogin auth required pam_dhkeys.so.1
274 rlogin auth required pam_unix_auth.so.1
276 rlogin account required pam_unix_roles.so.1
277 rlogin account required pam_unix_projects.so.1
278 rlogin account required pam_unix_account.so.1
280 rlogin session required pam_unix_session.so.1
285 With this configuration, the server checks the client's source address. If an
286 entry for the client exists in both \fB/etc/hosts\fR and
287 \fB/etc/hosts.equiv\fR, a user logging in from the client is not prompted for a
288 password. If the address is associated with a host for which no corresponding
289 entry exists in \fB/etc/hosts\fR, the user is prompted for a password,
290 regardless of whether or not an entry for the client is present in
291 \fB/etc/hosts.equiv\fR. See \fBhosts\fR(4) and \fBhosts.equiv\fR(4).
294 When running a Kerberized rlogin service (with or without the encryption
295 option), the pam service name that should be used is "\fBkrlogin\fR".
298 If there are no entries for the \fBrlogin\fR service, then the entries for the
299 "other" service will be used. If multiple authentication modules are listed,
300 then the user may be prompted for multiple passwords. Removing the
301 \fBpam_rhosts_auth.so.1\fR entry will disable the \fB/etc/hosts.equiv\fR and
302 \fB~/.rhosts\fR authentication protocol and the user would always be forced to
303 type the password. The \fIsufficient\fR flag indicates that authentication
304 through the \fBpam_rhosts_auth.so.1\fR module is sufficient to authenticate the
305 user. Only if this authentication fails is the next authentication module used.
309 \fBlogin\fR(1), \fBsvcs\fR(1), \fBrlogin\fR(1), \fBgkadmin\fR(1M),
310 \fBin.rshd\fR(1M), \fBinetadm\fR(1M), \fBinetd\fR(1M), \fBkadmin\fR(1M),
311 \fBsvcadm\fR(1M), \fBpam\fR(3PAM), \fBhosts\fR(4), \fBhosts.equiv\fR(4),
312 \fBkrb5.conf\fR(4), \fBpam.conf\fR(4), \fBattributes\fR(5), \fBenviron\fR(5),
313 \fBkrb5_auth_rules\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
314 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
315 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5),
323 All diagnostic messages are returned on the connection associated with the
324 \fBstderr\fR, after which any network connections are closed. An error is
325 indicated by a leading byte with a value of 1.
329 \fB\fBHostname for your address unknown.\fR\fR
333 No entry in the host name database existed for the client's machine.
339 \fB\fBTry again.\fR\fR
343 A \fIfork\fR by the server failed.
349 \fB\fB/usr/bin/sh:\fR .\|.\|.\fR
353 The user's login shell could not be started.
359 The authentication procedure used here assumes the integrity of each client
360 machine and the connecting medium. This is insecure, but it is useful in an
361 ``open'' environment.
364 A facility to allow all data exchanges to be encrypted should be present.
367 The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is
368 provided by \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
369 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
370 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), and
371 \fBpam_unix_session\fR(5).
374 The \fBin.rlogind\fR service is managed by the service management facility,
375 \fBsmf\fR(5), under the service identifier:
379 svc:/network/login:rlogin (rlogin)
380 svc:/network/login:klogin (rlogin with kerberos)
381 svc:/network/login:eklogin (rlogin with kerberos and encryption)
388 Administrative actions on this service, such as enabling, disabling, or
389 requesting restart, can be performed using \fBsvcadm\fR(1M). Responsibility for
390 initiating and restarting this service is delegated to \fBinetd\fR(1M). Use
391 \fBinetadm\fR(1M) to make configuration changes and to view configuration
392 information for this service. The service's status can be queried using the
393 \fBsvcs\fR(1) command.