42
43
44 If Kerberos V5 authentication is not enabled, then the authentication
45 procedure follows the standard rlogin protocol:
46
47 o The server checks the client's source port. If the port is
48 not in the range 512-1023, the server aborts the connection.
49
50 o The server checks the client's source address. If an entry
51 for the client exists in both /etc/hosts and
52 /etc/hosts.equiv, a user logging in from the client is not
53 prompted for a password. If the address is associated with a
54 host for which no corresponding entry exists in /etc/hosts,
55 the user is prompted for a password, regardless of whether
56 or not an entry for the client is present in
57 /etc/hosts.equiv. See hosts(4) and hosts.equiv(4).
58
59
60 Once the source port and address have been checked, in.rlogind
61 allocates a pseudo-terminal and manipulates file descriptors so that
62 the slave half of the pseudo-terminal becomes the stdin, stdout, and
63 stderr for a login process. The login process is an instance of the
64 login(1) program, invoked with the -r.
65
66
67 The login process then proceeds with the pam(3PAM) authentication
68 process. See SECURITY below. If automatic authentication fails, it
69 reprompts the user to login.
70
71
72 The parent of the login process manipulates the master side of the
73 pseudo-terminal, operating as an intermediary between the login process
74 and the client instance of the rlogin program. In normal operation, a
75 packet protocol is invoked to provide Ctrl-S and Ctrl-Q type facilities
76 and propagate interrupt signals to the remote programs. The login
77 process propagates the client terminal's baud rate and terminal type,
78 as found in the environment variable, TERM.
79
80 OPTIONS
81 The following options are supported:
82
83 -5
84 Same as -k, for backwards compatibility.
85
86
87 -c
88 Requires Kerberos V5 clients to present a cryptographic
89 checksum of initial connection information like the name
90 of the user that the client is trying to access in the
91 initial authenticator. This checksum provides additionl
92 security by preventing an attacker from changing the
258 pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).
259
260
261 The in.rlogind service is managed by the service management facility,
262 smf(5), under the service identifier:
263
264 svc:/network/login:rlogin (rlogin)
265 svc:/network/login:klogin (rlogin with kerberos)
266 svc:/network/login:eklogin (rlogin with kerberos and encryption)
267
268
269
270
271 Administrative actions on this service, such as enabling, disabling, or
272 requesting restart, can be performed using svcadm(1M). Responsibility
273 for initiating and restarting this service is delegated to inetd(1M).
274 Use inetadm(1M) to make configuration changes and to view configuration
275 information for this service. The service's status can be queried using
276 the svcs(1) command.
277
278 June 20, 2021 IN.RLOGIND(1M)
|
42
43
44 If Kerberos V5 authentication is not enabled, then the authentication
45 procedure follows the standard rlogin protocol:
46
47 o The server checks the client's source port. If the port is
48 not in the range 512-1023, the server aborts the connection.
49
50 o The server checks the client's source address. If an entry
51 for the client exists in both /etc/hosts and
52 /etc/hosts.equiv, a user logging in from the client is not
53 prompted for a password. If the address is associated with a
54 host for which no corresponding entry exists in /etc/hosts,
55 the user is prompted for a password, regardless of whether
56 or not an entry for the client is present in
57 /etc/hosts.equiv. See hosts(4) and hosts.equiv(4).
58
59
60 Once the source port and address have been checked, in.rlogind
61 allocates a pseudo-terminal and manipulates file descriptors so that
62 the subsidiary half of the pseudo-terminal becomes the stdin, stdout,
63 and stderr for a login process. The login process is an instance of
64 the login(1) program, invoked with the -r.
65
66
67 The login process then proceeds with the pam(3PAM) authentication
68 process. See SECURITY below. If automatic authentication fails, it
69 reprompts the user to login.
70
71
72 The parent of the login process manipulates the manager side of the
73 pseudo-terminal, operating as an intermediary between the login process
74 and the client instance of the rlogin program. In normal operation, a
75 packet protocol is invoked to provide Ctrl-S and Ctrl-Q type facilities
76 and propagate interrupt signals to the remote programs. The login
77 process propagates the client terminal's baud rate and terminal type,
78 as found in the environment variable, TERM.
79
80 OPTIONS
81 The following options are supported:
82
83 -5
84 Same as -k, for backwards compatibility.
85
86
87 -c
88 Requires Kerberos V5 clients to present a cryptographic
89 checksum of initial connection information like the name
90 of the user that the client is trying to access in the
91 initial authenticator. This checksum provides additionl
92 security by preventing an attacker from changing the
258 pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).
259
260
261 The in.rlogind service is managed by the service management facility,
262 smf(5), under the service identifier:
263
264 svc:/network/login:rlogin (rlogin)
265 svc:/network/login:klogin (rlogin with kerberos)
266 svc:/network/login:eklogin (rlogin with kerberos and encryption)
267
268
269
270
271 Administrative actions on this service, such as enabling, disabling, or
272 requesting restart, can be performed using svcadm(1M). Responsibility
273 for initiating and restarting this service is delegated to inetd(1M).
274 Use inetadm(1M) to make configuration changes and to view configuration
275 information for this service. The service's status can be queried using
276 the svcs(1) command.
277
278 February 5, 2022 IN.RLOGIND(1M)
|