14249 pseudo-terminal nomenclature should reflect POSIX
Change-Id: Ib4a3cef899ff4c71b09cb0dc6878863c5e8357bc

          --- old/usr/src/man/man1m/in.rlogind.1m
          +++ new/usr/src/man/man1m/in.rlogind.1m
   1    1  '\" te
   2    2  .\" Copyright 1989 AT&T
   3    3  .\" Copyright (C) 2005, Sun Microsystems, Inc. All Rights Reserved
   4    4  .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   5    5  .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   6    6  .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7      -.TH IN.RLOGIND 1M "June 20, 2021"
        7 +.TH IN.RLOGIND 1M "February 5, 2022"
   8    8  .SH NAME
   9    9  in.rlogind, rlogind \- remote login server
  10   10  .SH SYNOPSIS
  11   11  .nf
  12   12  \fB/usr/sbin/in.rlogind\fR [\fB-k5eExXciPp\fR] [\fB-s\fR \fItos\fR] [\fB-S\fR \fIkeytab\fR]
  13   13       [\fB-M\fR \fIrealm\fR]
  14   14  .fi
  15   15  
  16   16  .SH DESCRIPTION
  17   17  \fBin.rlogind\fR is the server for the \fBrlogin\fR(1) program.  The server

  18   18  provides a remote login facility with authentication based on Kerberos V5 or
  19   19  privileged port numbers.
  20   20  .sp
  21   21  .LP
  22   22  \fBin.rlogind\fR is invoked by \fBinetd\fR(1M) when a remote login connection
  23   23  is established. When Kerberos V5 authentication is required (see option
  24   24  \fB-k\fR below), the authentication sequence is as follows:
  25   25  .RS +4
  26   26  .TP
  27   27  .ie t \(bu
  28   28  .el o
  29   29  Check Kerberos V5 authentication.
  30   30  .RE
  31   31  .RS +4
  32   32  .TP
  33   33  .ie t \(bu
  34   34  .el o
  35   35  Check authorization according to the rules in \fBkrb5_auth_rules\fR(5).
  36   36  .RE
  37   37  .RS +4
  38   38  .TP
  39   39  .ie t \(bu
  40   40  .el o
  41   41  Prompt for a password if any checks fail and \fB/etc/pam.conf\fR is configured
  42   42  to do so.
  43   43  .RE
  44   44  .sp
  45   45  .LP
  46   46  In order for Kerberos authentication to work, a \fBhost/\fR\fI<FQDN>\fR
  47   47  Kerberos principal must exist for each Fully Qualified Domain Name associated
  48   48  with the \fBin.rlogind\fR server. Each of these \fBhost/\fR\fI<FQDN>\fR
  49   49  principals must have a \fBkeytab\fR entry in the \fB/etc/krb5/krb5.keytab\fR
  50   50  file on the \fBin.rlogind\fR server. An example principal might be:
  51   51  .sp
  52   52  .LP
  53   53  \fBhost/bigmachine.eng.example.com\fR
  54   54  .sp
  55   55  .LP
  56   56  See \fBkadmin\fR(1M) for instructions on adding a principal to a
  57   57  \fBkrb5.keytab\fR file. See \fI\fR for a discussion of Kerberos
  58   58  authentication.
  59   59  .sp
  60   60  .LP
  61   61  If Kerberos V5 authentication is not enabled, then the authentication procedure
  62   62  follows the standard \fBrlogin\fR protocol:
  63   63  .RS +4
  64   64  .TP
  65   65  .ie t \(bu
  66   66  .el o
  67   67  The server checks the client's source port. If the port is not in the range
  68   68  512-1023, the server aborts the connection.
  69   69  .RE
  70   70  .RS +4
  71   71  .TP
  72   72  .ie t \(bu
  73   73  .el o
  74   74  The server checks the client's source address. If an entry for the client

  75   75  exists in both \fB/etc/hosts\fR and \fB/etc/hosts.equiv\fR, a user logging in
  76   76  from the client is not prompted for a password. If the address is associated
  77   77  with a host for which no corresponding entry exists in \fB/etc/hosts\fR, the
  78   78  user is prompted for a password, regardless of  whether or not an entry for the
  79   79  client is present in  \fB/etc/hosts.equiv\fR. See \fBhosts\fR(4) and
  80   80  \fBhosts.equiv\fR(4).
  81   81  .RE
  82   82  .sp
  83   83  .LP
  84   84  Once the source port and address have been checked, \fBin.rlogind\fR allocates
  85      -a pseudo-terminal and manipulates file descriptors so that the slave half of
  86      -the pseudo-terminal becomes the \fBstdin\fR, \fBstdout\fR, and \fBstderr\fR for
  87      -a login process. The login process is an instance of the \fBlogin\fR(1)
       85 +a pseudo-terminal and manipulates file descriptors so that the subsidiary half
       86 +of the pseudo-terminal becomes the \fBstdin\fR, \fBstdout\fR, and \fBstderr\fR
       87 +for a login process.  The login process is an instance of the \fBlogin\fR(1)
  88   88  program, invoked with the \fB-r\fR.
  89   89  .sp
  90   90  .LP
  91   91  The login process then proceeds with the \fBpam\fR(3PAM) authentication
  92   92  process. See \fBSECURITY\fR below.  If automatic authentication fails, it
  93   93  reprompts the user to login.
  94   94  .sp
  95   95  .LP
  96      -The parent of the login process manipulates the master side of the
       96 +The parent of the login process manipulates the manager side of the
  97   97  pseudo-terminal, operating as an intermediary between the login process and the
  98   98  client instance of the \fBrlogin\fR program.  In normal operation, a packet
  99   99  protocol is invoked to provide Ctrl-S and Ctrl-Q type facilities and propagate
 100  100  interrupt signals to the remote programs. The login process propagates the
 101  101  client terminal's baud rate and terminal type, as found in the environment
 102  102  variable, \fBTERM\fR.
 103  103  .SH OPTIONS
 104  104  The following options are supported:
 105  105  .sp
 106  106  .ne 2

 107  107  .na
 108  108  \fB\fB-5\fR\fR
 109  109  .ad
 110  110  .RS 13n
 111  111  Same as \fB-k\fR, for backwards compatibility.
 112  112  .RE
 113  113  
 114  114  .sp
 115  115  .ne 2
 116  116  .na
 117  117  \fB\fB-c\fR\fR
 118  118  .ad
 119  119  .RS 13n
 120  120  Requires Kerberos V5 clients to present a cryptographic checksum of initial
 121  121  connection information like the name of the user that the client is  trying  to
 122  122  access in the initial authenticator. This checksum provides additionl security
 123  123  by preventing an attacker from changing the initial connection information.
 124  124  This option is mutually exclusive with the \fB-i\fR option.
 125  125  .RE
 126  126  
 127  127  .sp
 128  128  .ne 2
 129  129  .na
 130  130  \fB\fB-e\fR\fR
 131  131  .ad
 132  132  .RS 13n
 133  133  Creates an encrypted session.
 134  134  .RE
 135  135  
 136  136  .sp
 137  137  .ne 2
 138  138  .na
 139  139  \fB\fB-E\fR\fR
 140  140  .ad
 141  141  .RS 13n
 142  142  Same as \fB-e\fR, for backwards compatibility.
 143  143  .RE
 144  144  
 145  145  .sp
 146  146  .ne 2
 147  147  .na
 148  148  \fB\fB-i\fR\fR
 149  149  .ad
 150  150  .RS 13n
 151  151  Ignores authenticator checksums if provided. This option ignores authenticator
 152  152  checksums presented by current Kerberos clients to protect initial connection
 153  153  information. Option \fB-i\fR is the opposite of option \fB-c\fR.
 154  154  .RE
 155  155  
 156  156  .sp
 157  157  .ne 2
 158  158  .na
 159  159  \fB\fB-k\fR\fR
 160  160  .ad
 161  161  .RS 13n
 162  162  Allows Kerberos V5 authentication with the \fB\&.k5login\fR access control file
 163  163  to be trusted. If this authentication system is used by the client and the
 164  164  authorization check is passed, then the user is allowed to log in.
 165  165  .RE
 166  166  
 167  167  .sp
 168  168  .ne 2
 169  169  .na
 170  170  \fB\fB-M\fR \fIrealm\fR\fR
 171  171  .ad
 172  172  .RS 13n
 173  173  Uses the indicated Kerberos V5 realm. By default, the daemon will determine its
 174  174  realm from the settings in the \fBkrb5.conf\fR(4) file.
 175  175  .RE
 176  176  
 177  177  .sp
 178  178  .ne 2
 179  179  .na
 180  180  \fB\fB-p\fR\fR
 181  181  .ad
 182  182  .RS 13n
 183  183  Prompts for authentication only if other authentication checks fail.
 184  184  .RE
 185  185  
 186  186  .sp
 187  187  .ne 2
 188  188  .na
 189  189  \fB\fB-P\fR\fR
 190  190  .ad
 191  191  .RS 13n
 192  192  Prompts for a password in addition to other authentication methods.
 193  193  .RE
 194  194  
 195  195  .sp
 196  196  .ne 2
 197  197  .na
 198  198  \fB\fB-s\fR \fItos\fR\fR
 199  199  .ad
 200  200  .RS 13n
 201  201  Sets the \fBIP\fR \fBTOS\fR option.
 202  202  .RE
 203  203  
 204  204  .sp
 205  205  .ne 2
 206  206  .na
 207  207  \fB\fB-S\fR \fIkeytab\fR\fR
 208  208  .ad
 209  209  .RS 13n
 210  210  Sets the \fBKRB5\fR keytab file to use. The \fB/etc/krb5/krb5.keytab\fR file is
 211  211  used by default.
 212  212  .RE
 213  213  
 214  214  .sp
 215  215  .ne 2
 216  216  .na
 217  217  \fB\fB-x\fR\fR
 218  218  .ad
 219  219  .RS 13n
 220  220  Same as \fB-e\fR, for backwards compatibility.
 221  221  .RE
 222  222  
 223  223  .sp
 224  224  .ne 2
 225  225  .na
 226  226  \fB\fB-X\fR\fR
 227  227  .ad
 228  228  .RS 13n
 229  229  Same as \fB-e\fR, for backwards compatibility.
 230  230  .RE
 231  231  
 232  232  .SH USAGE
 233  233  \fBrlogind\fR and \fBin.rlogind\fR are IPv6-enabled. See \fBip6\fR(7P).
 234  234  \fBIPv6\fR is not currently supported with Kerberos V5 authentication.
 235  235  .sp
 236  236  .LP
 237  237  Typically, Kerberized \fBrlogin\fR service runs on port 543 (klogin) and
 238  238  Kerberized, encrypted \fBrlogin\fR service runs on port 2105 (eklogin). The
 239  239  corresponding FMRI entries are:
 240  240  .sp
 241  241  .in +2
 242  242  .nf
 243  243  svc:/network/login:klogin (rlogin with kerberos)
 244  244  svc:/network/login:eklogin (rlogin with kerberos and encryption)
 245  245  .fi
 246  246  .in -2
 247  247  .sp
 248  248  
 249  249  .SH SECURITY
 250  250  \fBin.rlogind\fR uses \fBpam\fR(3PAM) for authentication, account management,
 251  251  and session management. The \fBPAM\fR configuration policy, listed through
 252  252  \fB/etc/pam.conf\fR, specifies the modules to be used for \fBin.rlogind\fR.
 253  253  Here is a partial \fBpam.conf\fR file with entries for the \fBrlogin\fR command
 254  254  using the "rhosts" and UNIX authentication modules, and the UNIX account,
 255  255  session management, and password management modules.
 256  256  .sp
 257  257  
 258  258  .sp
 259  259  .TS
 260  260  l l l
 261  261  l l l .
 262  262  rlogin  auth sufficient pam_rhosts_auth.so.1
 263  263  rlogin  auth requisite  pam_authtok_get.so.1
 264  264  rlogin  auth required   pam_dhkeys.so.1
 265  265  rlogin  auth required   pam_unix_auth.so.1
 266  266  
 267  267  rlogin  account required        pam_unix_roles.so.1
 268  268  rlogin  account required        pam_unix_projects.so.1
 269  269  rlogin  account required        pam_unix_account.so.1
 270  270  
 271  271  rlogin  session required        pam_unix_session.so.1
 272  272  .TE
 273  273  
 274  274  .sp
 275  275  .LP
 276  276  With this configuration, the server checks the client's source address. If an
 277  277  entry for the client exists in both \fB/etc/hosts\fR and
 278  278  \fB/etc/hosts.equiv\fR, a user logging in from the client is not prompted for a
 279  279  password. If the address is associated with a host for which no corresponding
 280  280  entry exists in \fB/etc/hosts\fR, the user is prompted for a password,
 281  281  regardless of whether or not an entry for the client is present in
 282  282  \fB/etc/hosts.equiv\fR. See \fBhosts\fR(4) and \fBhosts.equiv\fR(4).
 283  283  .sp
 284  284  .LP
 285  285  When running a Kerberized rlogin service (with or without the encryption
 286  286  option), the pam service name that should be used is "\fBkrlogin\fR".
 287  287  .sp
 288  288  .LP
 289  289  If there are no entries for the \fBrlogin\fR service, then the entries for the
 290  290  "other" service will be used. If multiple authentication modules are listed,
 291  291  then the user may be prompted for multiple passwords. Removing the
 292  292  \fBpam_rhosts_auth.so.1\fR entry will disable the \fB/etc/hosts.equiv\fR and
 293  293  \fB~/.rhosts\fR authentication protocol and the user would always be forced to
 294  294  type the password. The \fIsufficient\fR flag indicates that authentication
 295  295  through the \fBpam_rhosts_auth.so.1\fR module is sufficient to authenticate the
 296  296  user. Only if this authentication fails is the next authentication module used.
 297  297  .SH SEE ALSO
 298  298  \fBlogin\fR(1), \fBsvcs\fR(1), \fBrlogin\fR(1),
 299  299  \fBin.rshd\fR(1M), \fBinetadm\fR(1M), \fBinetd\fR(1M), \fBkadmin\fR(1M),
 300  300  \fBsvcadm\fR(1M), \fBpam\fR(3PAM), \fBhosts\fR(4), \fBhosts.equiv\fR(4),
 301  301  \fBkrb5.conf\fR(4), \fBpam.conf\fR(4), \fBattributes\fR(5), \fBenviron\fR(5),
 302  302  \fBkrb5_auth_rules\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
 303  303  \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
 304  304  \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5),
 305  305  \fBsmf\fR(5)
 306  306  .sp
 307  307  .LP
 308  308  \fI\fR
 309  309  .SH DIAGNOSTICS
 310  310  All diagnostic messages are returned on the connection associated with the
 311  311  \fBstderr\fR, after which any network connections are closed. An error is
 312  312  indicated by a leading byte with a value of 1.
 313  313  .sp
 314  314  .ne 2
 315  315  .na
 316  316  \fB\fBHostname for your address unknown.\fR\fR
 317  317  .ad
 318  318  .sp .6
 319  319  .RS 4n
 320  320  No entry in the host name database existed for the client's machine.
 321  321  .RE
 322  322  
 323  323  .sp
 324  324  .ne 2
 325  325  .na
 326  326  \fB\fBTry again.\fR\fR
 327  327  .ad
 328  328  .sp .6
 329  329  .RS 4n
 330  330  A \fIfork\fR by the server failed.
 331  331  .RE
 332  332  
 333  333  .sp
 334  334  .ne 2
 335  335  .na
 336  336  \fB\fB/usr/bin/sh:\fR .\|.\|.\fR
 337  337  .ad
 338  338  .sp .6
 339  339  .RS 4n
 340  340  The user's login shell could not be started.
 341  341  .RE
 342  342  
 343  343  .SH NOTES
 344  344  The authentication procedure used here assumes the integrity of each client
 345  345  machine and the connecting medium.  This is insecure, but it is useful in an
 346  346  ``open'' environment.
 347  347  .sp
 348  348  .LP
 349  349  A facility to allow all data exchanges to be encrypted should be present.
 350  350  .sp
 351  351  .LP
 352  352  The \fBpam_unix\fR(5) module is no longer supported. Similar functionality is
 353  353  provided by \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
 354  354  \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
 355  355  \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), and
 356  356  \fBpam_unix_session\fR(5).
 357  357  .sp
 358  358  .LP
 359  359  The \fBin.rlogind\fR service is managed by the service management facility,
 360  360  \fBsmf\fR(5), under the service identifier:
 361  361  .sp
 362  362  .in +2
 363  363  .nf
 364  364  svc:/network/login:rlogin (rlogin)
 365  365  svc:/network/login:klogin (rlogin with kerberos)
 366  366  svc:/network/login:eklogin (rlogin with kerberos and encryption)
 367  367  .fi
 368  368  .in -2
 369  369  .sp
 370  370  
 371  371  .sp
 372  372  .LP
 373  373  Administrative actions on this service, such as enabling, disabling, or
 374  374  requesting restart, can be performed using \fBsvcadm\fR(1M). Responsibility for
 375  375  initiating and restarting this service is delegated to \fBinetd\fR(1M). Use
 376  376  \fBinetadm\fR(1M) to make configuration changes and to view configuration
 377  377  information for this service. The service's status can be queried using the
 378  378  \fBsvcs\fR(1) command.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX