HP-UX Reference (11i v2 04/09) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

221

222

223

224

225

226

227

228

229

230

rlogind(1M) rlogind(1M)

-R Authentication based on privileged port numbers and authorization of the remote user through

equivalent accounts must succeed. For more information on equivalent accounts, see

hosts.equiv (4).

-r Either one of the following must succeed. The order in which, the authorization checks are

done is as speciﬁed below.

1. Authentication based on privileged port numbers and authorization of the remote user

through equivalent accounts (see hosts.equiv (4)).

2. Authorization based on Kerberos V5.

-k Either one of the following must succeed. The order in which, the authorization checks are

done is as speciﬁed below.

1. Authorization based on Kerberos V5.

2. Authentication based on privileged port numbers and authorization of the remote user

through equivalent accounts.

Note: The

-k option is ignored when used with

-K, and the -r option is ignored when used

with

-R. Also, if no options are speciﬁed, the default option is

-K.

Operation

When a service request is received, the following protocol is initiated by

rlogind:

rlogind checks the client’s source port. If the port is not in a privileged port, i.e., in the

range 512 through 1023, and rlogind is operating in a non-secure environment, the connec-

tion is terminated. In a secure environment, the action taken depends on the command line

options:

-R The source port must be a privileged port otherwise rlogind terminates the connec-

tion.

-r If the source port is not a privileged port then Kerberos authorization must succeed or

the connection is terminated.

-k The source port must be a privileged port if Kerberos authorization fails.

-K No action is taken.

rlogind checks the client’s source address and requests the corresponding host name (see

gethostent (3N), hosts (4), and named(1M)). If it cannot determine the hostname, it uses the

Internet dot-notation representation of the host address.

rlogind, in a secure environment, proceeds with the Kerberos authentication process

described in sis (5). If authentication succeeds, then the authorization selected by the com-

mand line option -K, -R, -k,or -r is performed. The authorization selected could be as

speciﬁed in hosts.equiv (4) or Kerberos authorization as speciﬁed in sis(5).

rlogind then allocates a STREAMS based pseudo-terminal (see ptm(7), pts (7)), and manipu-

lates ﬁle descriptors so that the slave half of the pseudo-terminal becomes stdin, stdout,

and stderr for a login process.

5. This login process is an instance of login(1) invoked with the

-f option if authentication has

succeeded. In a non-secure environment, if automatic authentication fails, login(1) prompts

the user with the normal login sequence. In a secure environment, if authentication fails,

rlogind generates an error message and quits.

The

rlogind process manipulates the master side of the pseudo-terminal, operating as an intermediary

between the login process and the client instance of the rlogin program. The protocol described in

ptm(7) and pts (7) is used to enable and disable ﬂow control via Ctrl-S/Ctrl-Q under the direction of the

program running on the slave side of the pseudo-terminal, and to ﬂush terminal output in response to

interrupt signals. The login process sets the baud rate and TERM environment variable to correspond to

the client’s baud rate and terminal type (see environ (5)).

Transport-level keepalive messages are enabled unless the

-n option is present. The use of keepalive

messages allows sessions to be timed out if the client crashes or becomes unreachable.

EXTERNAL INFLUENCES

Section 1M−−694 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: September 2004