Manualshelf

HP-UX Reference (11i v1 00/12) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
211212213214215216217218219220
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man1m/naaagt.1m
________________________________________________________________
___ ___
r
rlogind(1M) Kerberos rlogind(1M)
2. Authorization based on Kerberos V5.
-k Either one of the following must succeed. The order in which the authorization checks are done
is as specified below.
1. Authorization based on Kerberos V5.
2. Authentication based on privileged port numbers and authorization of the remote user
through equivalent accounts.
Note: The -k option is ignored when used with -K, and the -r option is ignored when used with -
R
. Also, if no options are specified, the default option is -K.
Operation
When a service request is received, the following protocol is initiated by rlogind:
1. rlogind checks the client’s source port. If the port is not in a privileged port, i.e., in the range
512 through 1023, and rlogind is operating in a non-secure environment, the connection is
terminated. In a secure environment, the action taken depends on the command line options:
-R The source port must be a privileged port otherwise
rlogind terminates the connection.
-r If the source port is not a privileged port then Kerberos authorization must succeed or the
connection is terminated.
-k The source port must be a privileged port if Kerberos authorization fails.
-K No action is taken.
2. rlogind checks the client’s source address and requests the corresponding host name (see
gethostent(3N), hosts(4), and named(1M)). If it cannot determine the hostname, it uses the
Internet dot-notation representation of the host address.
3. rlogind, in a secure environment, proceeds with the Kerberos authentication process
described in sis(5). If authentication succeeds, then the authorization selected by the command
line option -K, -R, -k,or -r is performed. The authorization selected could be as specified in
hosts.equiv(4) or Kerberos authorization as specified in sis(5).
4.
rlogind then allocates a STREAMS based pseudo-terminal (see ptm(7), pts(7)), and manipu-
lates file descriptors so that the slave half of the pseudo-terminal becomes
stdin, stdout, and
stderr for a login process.
5. This login process is an instance of login(1) invoked with the
-f option if authentication has
succeeded. In a non-secure environment, if automatic authentication fails, login(1) prompts the
user with the normal login sequence. In a secure environment, if authentication fails,
rlo-
gind
generates an error message and quits.
The rlogind process manipulates the master side of the pseudo-terminal, operating as an intermediary
between the login process and the client instance of the rlogin program. The protocol described in
ptm(7) and pts(7) is used to enable and disable flow control via Ctrl-S/Ctrl-Q under the direction of the pro-
gram running on the slave side of the pseudo-terminal, and to flush terminal output in response to inter-
rupt signals. The login process sets the baud rate and TERM environment variable to correspond to the
client’s baud rate and terminal type (see environ(5)).
Transport-level keepalive messages are enabled unless the
-n option is present. The use of keepalive mes-
sages allows sessions to be timed out if the client crashes or becomes unreachable.
EXTERNAL INFLUENCES
International Code Set Support
Single- and multibyte character code sets are supported.
DIAGNOSTICS
Errors in establishing a connection cause an error message to be returned with a leading byte of 1 through
the socket connection, after which the network connection is closed. Any errors generated by the login pro-
cess or its descendents are passed through by the server as normal communication.
fork: No more processes
The server was unable to fork a process to handle the incoming connection.
Next step: Wait a period of time and try again. If this message persists, the server’s host may
have runaway processes that are using all the entries in the process table.
Section 1M718 2 HP-UX Release 11i: December 2000
___
___