rlogind(8sec)
Remote login server
Synopsis
rlogind [-aknx]
Options
-k
Allow Kerberos V5 with the .k5login access control file to be trusted. If this authentication system is used by the client and the authorization check passes, the
user is allowed to log in.
-n
Disable keep-alive messages.
-x
Create an encrypted session. This option is subject to export control.
Description
The rlogind server is the server for the rlogin(8sec) program. It is based on rlogind(8sec), but uses Kerberos authentication. rlogind is configured by command line arguments passed by inetd.
The rlogind server is invoked by inetd(8c) when inetd receives a connection on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf configuration line for rlogind might be as follows:
klogin stream tcp nowait root /opt/dcelocal/etc/rlogind rlogind -k
To prevent non-secure access, comment out the entry for login in /etc/inetd.conf to deny non-Kerberos access.
When rlogind receives a service request, it first checks Kerberos authentication and then checks authorization via the access-control file .k5login in the users home directory. If the authentication and authorization succeeds, rlogind
· Allocates a pseudo terminal (see pty(4))
· Manipulates file descriptors so that the slave half of the pseudo terminal becomes the stdin, stdout, and stderr for a login process
· Invokes login(1) program with the -f option
If automatic authentication fails, the user is prompted to log in as if on a standard terminal line.
If ticket forwarding is requested by the rlogin client, k5dcelogin(8sec) is invoked by rlogind to promote the forwarded Kerberos credentials to DCE credentials. The login process is then invoked by k5dcelogin.
The parent of the login process manipulates the master side of the pseudo terminal, operating as an intermediary between the login process and the client instance of the rlogin program.
In normal operation, the packet protocol described in pty(4) is invoked to provide ^S/^Q type facilities and to propagate interrupt signals to the remote programs. The login process propagates the client terminal baud rate and terminal type (found in the environment variable, TERM). See environ(7). The screen or window size of the terminal is requested from the client, and the window size changes from the client are propagated to the pseudo terminal.
Transport-level keepalive messages are enabled unless the -n option is specified. The use of keepalive messages allows sessions to be timed out if the client crashes or becomes unreachable.
Diagnostics
All initial diagnostic messages are indicated by a leading byte with a value of 1, after which any network connections are closed. If there are no errors before login is invoked, a null byte is returned to indicate success.
Try again
A fork by the server failed.
fork: No more processes..
The server was unable to fork a process to handle the incoming connection.
Wait a period of time and try again. If this message persists, the servers host may have runaway processes that are using all the entries in the process table.
Out of ptys
The server was unable to obtain a pseudo-terminal for use with the login process. Either all pseudo-terminals were in use or the pty driver has not been properly
set up.
Check the pty configuration of the host where rlogind executes.
Permission denied
The server denied access because the client was not using a reserved port. This should only happen to interlopers trying to break into the system.
system call: cause_of_failure
An error in executing a system call. A message specifying the cause of the failure is appended to this error.
/usr/bin/login: reason
The login program could not be started via exec(2) for the reason indicated.
Try to correct the condition causing the problem. If this message persists, contact your system administrator.
rcmd: connect : hostname: Connection refused.
This generic message could be due to a number of reasons. One of the reasons is that the entry for
login is not present in /etc/inetd.conf. The entry may have been removed or commented out to prevent non-secure access.
Kerberos authentication failed
An error occurred during Kerberos authentication. The Kerberos-specific error message will be appended to the error message.
User remote username is not authorized to login to account local username
An error occurred during Kerberos authorization. The Kerberos-specific
error message will be appended to the error message.
Related Information
Commands:
Files: .k5login