1.\" $NetBSD: rlogind.8,v 1.13 2002/01/15 02:24:42 wiz Exp $ 2.\" 3.\" Copyright (c) 1983, 1989, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. All advertising materials mentioning features or use of this software 15.\" must display the following acknowledgement: 16.\" This product includes software developed by the University of 17.\" California, Berkeley and its contributors. 18.\" 4. Neither the name of the University nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" from: @(#)rlogind.8 8.1 (Berkeley) 6/4/93 35.\" 36.Dd November 8, 1996 37.Dt RLOGIND 8 38.Os 39.Sh NAME 40.Nm rlogind 41.Nd remote login server 42.Sh SYNOPSIS 43.Nm 44.Op Fl alnL 45.Sh DESCRIPTION 46.Nm 47is the server for the 48.Xr rlogin 1 49program. 50The server provides a remote login facility with authentication 51based on privileged port numbers from trusted hosts. 52.Pp 53Options supported by 54.Nm "" : 55.Bl -tag -width Ds 56.It Fl a 57Ask hostname for verification. 58.It Fl l 59Prevent any authentication based on the user's 60.Dq Pa .rhosts 61file, unless the user is logging in as the superuser. 62.It Fl n 63Disable keep-alive messages. 64.It Fl L 65Log all successful accesses to 66.Xr syslogd 8 67as 68.Li auth.info 69messages. 70.El 71.Pp 72.Nm 73listens for service requests at the port indicated in 74the ``login'' service specification; see 75.Xr services 5 . 76When a service request is received the following protocol is initiated: 77.Bl -enum 78.It 79The server checks the client's source port. 80If the port is not in the range 512-1023, the server 81aborts the connection. 82.It 83The server checks the client's source address 84and requests the corresponding host name (see 85.Xr gethostbyaddr 3 , 86.Xr hosts 5 87and 88.Xr named 8 ) . 89If the hostname cannot be determined, 90the dot-notation representation of the host address is used. 91If the hostname is in the same domain as the server (according to 92the last two components of the domain name), 93or if the 94.Fl a 95option is given, 96the addresses for the hostname are requested, 97verifying that the name and address correspond. 98Normal authentication is bypassed if the address verification fails. 99.El 100.Pp 101Once the source port and address have been checked, 102.Nm 103proceeds with the authentication process described in 104.Xr rshd 8 . 105It then allocates a pseudo terminal (see 106.Xr pty 4 ) , 107and manipulates file descriptors so that the slave 108half of the pseudo terminal becomes the 109.Em stdin , 110.Em stdout , 111and 112.Em stderr 113for a login process. 114The login process is an instance of the 115.Xr login 1 116program, invoked with the 117.Fl f 118option if authentication has succeeded. 119If automatic authentication fails, the user is 120prompted to log in as if on a standard terminal line. 121.Pp 122The parent of the login process manipulates the master side of 123the pseudo terminal, operating as an intermediary 124between the login process and the client instance of the 125.Xr rlogin 1 126program. 127In normal operation, the packet protocol described in 128.Xr pty 4 129is invoked to provide 130.Ql ^S/^Q 131type facilities and propagate 132interrupt signals to the remote programs. 133The login process propagates the client terminal's baud rate and 134terminal type, as found in the environment variable, 135.Ql Ev TERM ; 136see 137.Xr environ 7 . 138The screen or window size of the terminal is requested from the client, 139and window size changes from the client are propagated to the pseudo terminal. 140.Pp 141Transport-level keepalive messages are enabled unless the 142.Fl n 143option is present. 144The use of keepalive messages allows sessions to be timed out 145if the client crashes or becomes unreachable. 146.Pp 147At the end of a login session, 148.Nm 149invokes the 150.Xr ttyaction 3 151facility with an action of "rlogind" and user "root" 152to execute site-specific commands. 153.Sh DIAGNOSTICS 154All initial diagnostic messages are indicated 155by a leading byte with a value of 1, 156after which any network connections are closed. 157If there are no errors before 158.Xr login 1 159is invoked, a null byte is returned as in indication of success. 160.Bl -tag -width Ds 161.It Sy Try again. 162A 163.Xr fork 2 164by the server failed. 165.El 166.Sh SEE ALSO 167.Xr login 1 , 168.Xr ruserok 3 , 169.Xr ttyaction 3 , 170.Xr rshd 8 171.Sh HISTORY 172The 173.Nm 174command appeared in 175.Bx 4.2 . 176.Sh BUGS 177The authentication procedure used here assumes the integrity 178of each client machine and the connecting medium. 179This is insecure, but is useful in an ``open'' environment. 180.Pp 181A facility to allow all data exchanges to be encrypted should be 182present. 183.Pp 184A more extensible protocol should be used. 185.Pp 186.Nm 187intentionally rejects accesses from IPv4 mapped address on top of 188.Dv AF_INET6 189socket, since IPv4 mapped address complicates host-address based 190authentication. 191If you would like to accept connections from IPv4 peers, you will need to run 192.Nm 193on top of 194.Dv AF_INET 195socket, not 196.Dv AF_INET6 197socket. 198