HP-UX Reference (11i v1 00/12) - 1M System Administration Commands N-Z (vol 4)
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man1m/naaagt.1m
________________________________________________________________
___ ___
r
rlogind(1M) Kerberos rlogind(1M)
NAME
rlogind - remote login server
SYNOPSIS
/usr/lbin/rlogind [-ln][-B bannerfile]
Kerberos V5 Network Authentication environments:
/usr/lbin/rlogind [-clnKkRr][-B bannerfile]
DESCRIPTION
rlogind is the server for the rlogin(1) program. It provides a remote login facility with two kinds of
authentication methods:
1. Authentication based on privileged port numbers where the client’s source port must be in the
range 512 through 1023. In this case rlogind assumes it is operating in normal or non-secure
environment.
2. Authentication based on Kerberos V5. In this case rlogind assumes it is operating in a Ker-
beros V5 Network Authentication, i.e., secure environment.
The inetd daemon invokes rlogind if a service request is received at ports indicated by the
login or
klogin services specified in /etc/services
(see inetd(1M) and services(4)). Service requests arriv-
ing at the
klogin port assume a secure environment and expect Kerberos authentication to take place.
To start rlogind from the inetd daemon in a non-secure environment, the configuration file
/etc/inetd.conf must contain an entry as follows:
login stream tcp nowait root /usr/lbin/rlogind rlogind
In a secure environment, /etc/inetd.conf
must contain an entry:
klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K
See inetd.conf(4) for more information.
To prevent non-secure access, the entry for login should be commented out in /etc/inetd.conf
.
Any non-Kerberos access will be denied since the entry for the port indicated by
login has now been
removed or commented out. In a such a situation, a generic error message,
rcmd: connect <hostname> : Connection refused
is displayed. See DIAGNOSTICS for more details.
Options
rlogind recognizes the following options:
-c Ignore checksum verification. This option is used to achieve interoperability between clients and
servers using different checksum calculation methods. For example, the checksum calculation in
a application developed with Kerberos V5 Beta 4 API is different from the calculation in a Ker-
beros V5-1.0 application.
-l Prevents any authentication based on the user’s .rhosts file unless the user is logging in as
super-user.
-Bbannerfile
Causes the file, bannerfile, to be displayed to incoming rlogin requests.
In a secure environment, rlogind will recognize the following additional options:
-K Authorization based on Kerberos V5 must succeed or access will be rejected (see sis(5) for details
on authorization).
-R Authentication based on privileged port numbers and authorization of the remote user through
equivalent accounts must succeed. For more information on equivalent accounts, see
hosts.equiv(4).
-r Either one of the following must succeed. The order in which the authorization checks are done
is as specified below.
1. Authentication based on privileged port numbers and authorization of the remote user
through equivalent accounts (see hosts.equiv(4)).
HP-UX Release 11i: December 2000 − 1 − Section 1M−−717
___
___