HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)
r
rlogind(1M) rlogind(1M)
-K Authorization based on Kerberos V5 must succeed or access will be rejected (see sis(5) for details
on authorization).
-R Authentication based on privileged port numbers and authorization of the remote user through
equivalent accounts must succeed. For more information on equivalent accounts, see
hosts.equiv(4).
-r Either one of the following must succeed. The order in which, the authorization checks are done
is as specified below.
1. Authentication based on privileged port numbers and authorization of the remote user
through equivalent accounts (see hosts.equiv(4)).
2. Authorization based on Kerberos V5.
-k Either one of the following must succeed. The order in which, the authorization checks are done
is as specified below.
1. Authorization based on Kerberos V5.
2. Authentication based on privileged port numbers and authorization of the remote user
through equivalent accounts.
Note: The -k option is ignored when used with -K, and the -r option is ignored when used
with
-R. Also, if no options are specified, the default option is -K
.
Operation
When a service request is received, the following protocol is initiated by
rlogind:
1. rlogind checks the client’s source port. If the port is not in a privileged port, that is, in the
range 512 through 1023, and rlogind is operating in a non-secure environment, the connec-
tion is terminated. In a secure environment, the action taken depends on the command line
options:
-R The source port must be a privileged port otherwise rlogind terminates the connection.
-r If the source port is not a privileged port then Kerberos authorization must succeed or the
connection is terminated.
-k The source port must be a privileged port if Kerberos authorization fails.
-K No action is taken.
2. rlogind checks the client’s source address and requests the corresponding host name (see
gethostent(3N), hosts(4), and named(1M)). If it cannot determine the hostname, it uses the
Internet dot-notation representation of the host address.
3. rlogind, in a secure environment, proceeds with the Kerberos authentication process
described in sis(5). If authentication succeeds, then the authorization selected by the command
line option -K, -R, -k,or -r is performed. The authorization selected could be as specified in
hosts.equiv or Kerberos authorization as specified in sis(5).
4.
rlogind then allocates a STREAMS based pseudo-terminal (see ptm(7) and pts(7)), and mani-
pulates file descriptors so that the slave half of the pseudo-terminal becomes
stdin, stdout,
and
stderr for a login process.
5. This login process is an instance of login invoked with the -f option if authentication has suc-
ceeded. In a non-secure environment, if automatic authentication fails, login prompts the user
with the normal login sequence. In a secure environment, if authentication fails, rlogind
generates an error message and quits.
The rlogind process manipulates the master side of the pseudo-terminal, operating as an intermediary
between the login process and the client instance of the rlogin program. The protocol described in
ptm(7) and pts(7) is used to enable and disable flow control via Ctrl-S/Ctrl-Q under the direction of the pro-
gram running on the slave side of the pseudo-terminal, and to flush terminal output in response to inter-
rupt signals. The login process sets the baud rate and TERM environment variable to correspond to the
client’s baud rate and terminal type (see environ(5)).
Transport-level keepalive messages are enabled unless the -n option is present. The use of keepalive mes-
sages allows sessions to be timed out if the client crashes or becomes unreachable.
HP-UX 11i Version 3: February 2007 − 2 − Hewlett-Packard Company 257