179 lines
5.7 KiB
Groff
179 lines
5.7 KiB
Groff
|
.\" Copyright (c) 1983, 1989, 1991, 1993
|
||
|
.\" The Regents of the University of California. All rights reserved.
|
||
|
.\"
|
||
|
.\" Redistribution and use in source and binary forms, with or without
|
||
|
.\" modification, are permitted provided that the following conditions
|
||
|
.\" are met:
|
||
|
.\" 1. Redistributions of source code must retain the above copyright
|
||
|
.\" notice, this list of conditions and the following disclaimer.
|
||
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||
|
.\" notice, this list of conditions and the following disclaimer in the
|
||
|
.\" documentation and/or other materials provided with the distribution.
|
||
|
.\" 3. All advertising materials mentioning features or use of this software
|
||
|
.\" must display the following acknowledgement:
|
||
|
.\" This product includes software developed by the University of
|
||
|
.\" California, Berkeley and its contributors.
|
||
|
.\" 4. Neither the name of the University nor the names of its contributors
|
||
|
.\" may be used to endorse or promote products derived from this software
|
||
|
.\" without specific prior written permission.
|
||
|
.\"
|
||
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
||
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
||
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||
|
.\" SUCH DAMAGE.
|
||
|
.\"
|
||
|
.\" @(#)rlogind.8 8.1 (Berkeley) 6/4/93
|
||
|
.\"
|
||
|
.Dd August 25, 1996
|
||
|
.Dt RLOGIND 8
|
||
|
.Os BSD 4.2
|
||
|
.Sh NAME
|
||
|
.Nm rlogind
|
||
|
.Nd remote login server
|
||
|
.Sh SYNOPSIS
|
||
|
.Nm rlogind
|
||
|
.Op Fl ailnkvxD
|
||
|
.Op Fl p Ar portnumber
|
||
|
.Op Fl L Ar /bin/login
|
||
|
.Sh DESCRIPTION
|
||
|
.Nm Rlogind
|
||
|
is the server for the
|
||
|
.Xr rlogin 1
|
||
|
program. The server provides a remote login facility with
|
||
|
kerberos-based authentication or traditional pseudo-authentication with
|
||
|
privileged port numbers from trusted hosts.
|
||
|
.Pp
|
||
|
Options supported by
|
||
|
.Nm rlogind :
|
||
|
.Bl -tag -width Ds
|
||
|
.It Fl a
|
||
|
No-op. For backwards compatibility. Hostnames are always verified.
|
||
|
.It Fl l
|
||
|
Prevent any authentication based on the user's
|
||
|
.Dq Pa .rhosts
|
||
|
file, unless the user is logging in as the superuser.
|
||
|
.It Fl n
|
||
|
Disable keep-alive messages.
|
||
|
.It Fl k
|
||
|
Enable kerberos authentication.
|
||
|
.It Fl i
|
||
|
Do not expect to be spawned by inetd and create a socket and listen on
|
||
|
it yourself.
|
||
|
.It Fl p portnumber
|
||
|
Specifies the port number it should listen on in case the
|
||
|
.It Fl i
|
||
|
flag has been given.
|
||
|
.It Fl v
|
||
|
Vacuous, echo "Remote host requires Kerberos authentication" and exit.
|
||
|
.It Fl x
|
||
|
Provides an encrypted communications channel. This options requires the
|
||
|
.Fl k
|
||
|
flag.
|
||
|
.It Fl L pathname
|
||
|
Specify pathname to an alternative login program.
|
||
|
.It Fl D
|
||
|
Use the TCP nodelay option (see setsockopt(2)).
|
||
|
.El
|
||
|
.Pp
|
||
|
When a service request is received,
|
||
|
.Nm rlogind
|
||
|
verifies the kerberos ticket supplied by the user.
|
||
|
.Pp
|
||
|
For non-kerberised connections, the following protocol is initiated:
|
||
|
.Bl -enum
|
||
|
.It
|
||
|
The server checks the client's source port.
|
||
|
If the port is not in the range 512-1023, the server
|
||
|
aborts the connection.
|
||
|
.It
|
||
|
The server checks the client's source address
|
||
|
and requests the corresponding host name (see
|
||
|
.Xr gethostbyaddr 3 ,
|
||
|
.Xr hosts 5
|
||
|
and
|
||
|
.Xr named 8 ) .
|
||
|
If the hostname cannot be determined,
|
||
|
the dot-notation representation of the host address is used.
|
||
|
The addresses for the hostname are requested,
|
||
|
verifying that the name and address correspond.
|
||
|
Normal authentication is bypassed if the address verification fails.
|
||
|
.El
|
||
|
.Pp
|
||
|
Once the source port and address have been checked,
|
||
|
.Nm rlogind
|
||
|
proceeds with the authentication process described in
|
||
|
.Xr rshd 8 .
|
||
|
.Pp
|
||
|
It then allocates a pseudo terminal (see
|
||
|
.Xr pty 4 ) ,
|
||
|
and manipulates file descriptors so that the slave
|
||
|
half of the pseudo terminal becomes the
|
||
|
.Em stdin ,
|
||
|
.Em stdout ,
|
||
|
and
|
||
|
.Em stderr
|
||
|
for a login process.
|
||
|
The login process is an instance of the
|
||
|
.Xr login 1
|
||
|
program, invoked with the
|
||
|
.Fl f
|
||
|
option if authentication has succeeded.
|
||
|
If automatic authentication fails, the user is
|
||
|
prompted to log in as if on a standard terminal line.
|
||
|
.Pp
|
||
|
The parent of the login process manipulates the master side of
|
||
|
the pseudo terminal, operating as an intermediary
|
||
|
between the login process and the client instance of the
|
||
|
.Xr rlogin
|
||
|
program. In normal operation, the packet protocol described
|
||
|
in
|
||
|
.Xr pty 4
|
||
|
is invoked to provide
|
||
|
.Ql ^S/^Q
|
||
|
type facilities and propagate
|
||
|
interrupt signals to the remote programs. The login process
|
||
|
propagates the client terminal's baud rate and terminal type,
|
||
|
as found in the environment variable,
|
||
|
.Ql Ev TERM ;
|
||
|
see
|
||
|
.Xr environ 7 .
|
||
|
The screen or window size of the terminal is requested from the client,
|
||
|
and window size changes from the client are propagated to the pseudo terminal.
|
||
|
.Pp
|
||
|
Transport-level keepalive messages are enabled unless the
|
||
|
.Fl n
|
||
|
option is present.
|
||
|
The use of keepalive messages allows sessions to be timed out
|
||
|
if the client crashes or becomes unreachable.
|
||
|
.Sh DIAGNOSTICS
|
||
|
All initial diagnostic messages are indicated
|
||
|
by a leading byte with a value of 1,
|
||
|
after which any network connections are closed.
|
||
|
If there are no errors before
|
||
|
.Xr login
|
||
|
is invoked, a null byte is returned as in indication of success.
|
||
|
.Bl -tag -width Ds
|
||
|
.It Sy Try again.
|
||
|
A
|
||
|
.Xr fork
|
||
|
by the server failed.
|
||
|
.El
|
||
|
.Sh SEE ALSO
|
||
|
.Xr login 1 ,
|
||
|
.Xr ruserok 3 ,
|
||
|
.Xr rshd 8
|
||
|
.Sh BUGS
|
||
|
A more extensible protocol should be used.
|
||
|
.Sh HISTORY
|
||
|
The
|
||
|
.Nm
|
||
|
command appeared in
|
||
|
.Bx 4.2 .
|