9e4b2c6012
closes [misc/543] and [bin/1295] - syslog() failures of iruserok(), which should help debugging why a .rhosts authentication failed. - log a successful iruserok() if -L given. idea from rshd(8). - allow root .rhosts to authenticate, the same way that rshd(8) does. the prior behaviour meant that 'rsh foo csh -i' could get a shell without a password, but 'rlogin foo' couldn't; very inconsistant. closes [bin/1078] and [bin/1239]
176 lines
5.6 KiB
Groff
176 lines
5.6 KiB
Groff
.\" Copyright (c) 1983, 1989, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed by the University of
|
|
.\" California, Berkeley and its contributors.
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" from: @(#)rlogind.8 8.1 (Berkeley) 6/4/93
|
|
.\" $Id: rlogind.8,v 1.4 1996/11/08 07:47:44 lukem Exp $
|
|
.\"
|
|
.Dd November 8, 1996
|
|
.Dt RLOGIND 8
|
|
.Os BSD 4.2
|
|
.Sh NAME
|
|
.Nm rlogind
|
|
.Nd remote login server
|
|
.Sh SYNOPSIS
|
|
.Nm rlogind
|
|
.Op Fl alnL
|
|
.Sh DESCRIPTION
|
|
.Nm Rlogind
|
|
is the server for the
|
|
.Xr rlogin 1
|
|
program. The server provides a remote login facility
|
|
with authentication based on privileged port numbers from trusted hosts.
|
|
.Pp
|
|
Options supported by
|
|
.Nm rlogind :
|
|
.Bl -tag -width Ds
|
|
.It Fl a
|
|
Ask hostname for verification.
|
|
.It Fl l
|
|
Prevent any authentication based on the user's
|
|
.Dq Pa .rhosts
|
|
file, unless the user is logging in as the superuser.
|
|
.It Fl n
|
|
Disable keep-alive messages.
|
|
.It Fl L
|
|
Log all successful accesses to
|
|
.Xr syslogd 8
|
|
as
|
|
.Li auth.info
|
|
messages.
|
|
.El
|
|
.Pp
|
|
.Nm Rlogind
|
|
listens for service requests at the port indicated in
|
|
the ``login'' service specification; see
|
|
.Xr services 5 .
|
|
When a service request is received the following protocol
|
|
is initiated:
|
|
.Bl -enum
|
|
.It
|
|
The server checks the client's source port.
|
|
If the port is not in the range 512-1023, the server
|
|
aborts the connection.
|
|
.It
|
|
The server checks the client's source address
|
|
and requests the corresponding host name (see
|
|
.Xr gethostbyaddr 3 ,
|
|
.Xr hosts 5
|
|
and
|
|
.Xr named 8 ) .
|
|
If the hostname cannot be determined,
|
|
the dot-notation representation of the host address is used.
|
|
If the hostname is in the same domain as the server (according to
|
|
the last two components of the domain name),
|
|
or if the
|
|
.Fl a
|
|
option is given,
|
|
the addresses for the hostname are requested,
|
|
verifying that the name and address correspond.
|
|
Normal authentication is bypassed if the address verification fails.
|
|
.El
|
|
.Pp
|
|
Once the source port and address have been checked,
|
|
.Nm rlogind
|
|
proceeds with the authentication process described in
|
|
.Xr rshd 8 .
|
|
It then allocates a pseudo terminal (see
|
|
.Xr pty 4 ) ,
|
|
and manipulates file descriptors so that the slave
|
|
half of the pseudo terminal becomes the
|
|
.Em stdin ,
|
|
.Em stdout ,
|
|
and
|
|
.Em stderr
|
|
for a login process.
|
|
The login process is an instance of the
|
|
.Xr login 1
|
|
program, invoked with the
|
|
.Fl f
|
|
option if authentication has succeeded.
|
|
If automatic authentication fails, the user is
|
|
prompted to log in as if on a standard terminal line.
|
|
.Pp
|
|
The parent of the login process manipulates the master side of
|
|
the pseudo terminal, operating as an intermediary
|
|
between the login process and the client instance of the
|
|
.Xr rlogin
|
|
program. In normal operation, the packet protocol described
|
|
in
|
|
.Xr pty 4
|
|
is invoked to provide
|
|
.Ql ^S/^Q
|
|
type facilities and propagate
|
|
interrupt signals to the remote programs. The login process
|
|
propagates the client terminal's baud rate and terminal type,
|
|
as found in the environment variable,
|
|
.Ql Ev TERM ;
|
|
see
|
|
.Xr environ 7 .
|
|
The screen or window size of the terminal is requested from the client,
|
|
and window size changes from the client are propagated to the pseudo terminal.
|
|
.Pp
|
|
Transport-level keepalive messages are enabled unless the
|
|
.Fl n
|
|
option is present.
|
|
The use of keepalive messages allows sessions to be timed out
|
|
if the client crashes or becomes unreachable.
|
|
.Sh DIAGNOSTICS
|
|
All initial diagnostic messages are indicated
|
|
by a leading byte with a value of 1,
|
|
after which any network connections are closed.
|
|
If there are no errors before
|
|
.Xr login
|
|
is invoked, a null byte is returned as in indication of success.
|
|
.Bl -tag -width Ds
|
|
.It Sy Try again.
|
|
A
|
|
.Xr fork
|
|
by the server failed.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr login 1 ,
|
|
.Xr ruserok 3 ,
|
|
.Xr rshd 8
|
|
.Sh BUGS
|
|
The authentication procedure used here assumes the integrity
|
|
of each client machine and the connecting medium. This is
|
|
insecure, but is useful in an ``open'' environment.
|
|
.Pp
|
|
A facility to allow all data exchanges to be encrypted should be
|
|
present.
|
|
.Pp
|
|
A more extensible protocol should be used.
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
command appeared in
|
|
.Bx 4.2 .
|