remote login server
[ -k ] [ -K ]
[ -l ]
[ -n ]
[ -I n ]
[ -N n ]
[ -S n ]
[ -X ]
rlogind is the server for the
program. The server provides a remote login facility with
authentication based on privileged port numbers from
trusted hosts. It is started by the ``super server''
inetd, and therefore must have an entry in
inetd's configuration file,
rlogind listens for service requests at the port
indicated in the login service specification; see
When a service request is received, the following protocol
Once the source port and address have been checked,
rlogind proceeds with the authentication process
It then allocates a pseudo terminal and manipulates file
descriptors so that the slave half of the pseudo terminal
becomes the stdin, stdout, and
stderr for a login process. The login process is
an instance of the
program, invoked with the -f option if
authentication has succeeded. If automatic authentication
fails, the user is prompted to log in as if on a standard
terminal line. The -l option prevents any
authentication based on the user's .rhosts file,
unless the user is logging in as root.
The server checks the client's source port.
If the port is not in the range 512-1023, the server
aborts the connection.
The server checks the client's source address
and requests the corresponding host name (see
If the hostname cannot be determined,
the dot-notation representation of the host address is used.
The master side of the pseudo-terminal opens the
In-Kernel Network Terminal (IKNT) driver,
which provides reliable, flow-controlled, two-way transmission
of data between the master side of the pseudo-terminal and
the underlying transport driver, bypassing the rlogind server.
manual reference page for a more detailed explanation.
Should the IKNT driver link fail, rlogind reverts to
manipulating the master side
of the pseudo terminal, operating as an intermediary
between the login process and the client instance of the
rlogin program. Login propagates the client
terminal's baud rate and terminal type, as found in the
environment variable, TERM; see
Transport-level keepalive messages are enabled unless the
-n option is present. The use of keepalive
messages allows sessions to be timed out if the client
crashes or becomes unreachable.
If keepalives are being used, several parameters may be controlled
using the following options:
The default keepalive values corresponding to these options
are controlled by the parameters
tcp_keepintvl (75 seconds),
tcp_nkeep (8), and
tcp_keepidle (7200 seconds).
These can be tuned on a system-wide basis using
These options exist solely to provide finer control of
keepalives on a per-application basis.
The argument n
specifies the interval (in seconds) between keepalive probes if
no response is received.
The argument n
specifies the number of unanswered keepalive probes that will be
sent prior to dropping the connection.
The argument n
specifies the time (in seconds) that a connection must be idle
before the first keepalive probe will be sent.
Authenticated rlogin using Kerberos
rlogind listens for service requests at the
klogin port (543/tcp)
as indicated in the login services
The klogin port accepts a connection from a
remote authenticated rlogin client and
attempts to establish authentication.
Authentication takes place between the client
program rlogin and the
host principal where the rlogind
daemon is running, using the network credentials
of the user that invoked the client program.
The principal name for host
The machine name must be fully qualified
(for example, kvetch.your_company.com).
The service key for this host principal is cached in the local
Default Service Key Table (/krb5/v5srvtab),
and must match the service key stored in the Security Registry.
The following authentication options are supported:
To execute rlogind on behalf of remote clients
without asking for a password,
the user invoking the client must have network credentials,
and the user's principal name must appear in the
$HOME/.k5login file on the host
where rlogind is running
(this file must be writable
only by the user or by root, and it must be readable
by root on the filesystem where it resides).
Relaxed authentication mode;
if authentication cannot be established,
a traditional unauthenticated connection is established.
Strict authentication mode;
if authentication fails, the user cannot log in.
Refuse service and print the message:
rlogind: Authentication is required on host: hostname
All diagnostic messages are returned on the connection
associated with the stderr, after which any
network connections are closed. An error is indicated by a
leading byte with a value of 1.
A fork by the server failed.
The user's login shell could not be started.
With standard authentication, the procedure used here assumes the
integrity of each client machine and the connecting medium.
This is insecure, but is useful in an ``open'' environment.
Secure TCP authentication is based on Version 5
of the Kerberos Network Authentication Service protocol.
Only this version of the protocol is supported.
Data encryption is not supported.
configuration file for inetd
Internet services list
local default service key table
access control file for the SCO Secure TCP/IP Utilities
Authenticated rlogind is not part of any currently supported standard.
It is an extension of AT&T UNIX System V provided by
The Santa Cruz Operation, Inc.
rlogind is conformant with:
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003