RLOGIN(1) User Commands RLOGIN(1)
NAME
rlogin - remote login
SYNOPSIS
rlogin [
-8EL] [
-ec ] [
-A] [
-K] [
-x] [
-PN |
-PO] [
-f |
-F] [
-a]
[
-l username] [
-k realm]
hostnameDESCRIPTION
The
rlogin utility establishes a remote login session from your
terminal to the remote machine named
hostname. The user can choose to
kerberize the rlogin session using Kerberos V5 and also protect the
data being transferred.
Hostnames are listed in the
hosts database, which can be contained in
the
/etc/hosts file, the Network Information Service (
NIS)
hosts map,
the Internet domain name server, or a combination of these. Each host
has one official name (the first name in the database entry), and
optionally one or more nicknames. Either official hostnames or
nicknames can be specified in
hostname.
The user can opt for a secure rlogin session which uses Kerberos V5
for authentication. Encryption of the session data is also possible.
The rlogin session can be kerberized using any of the following
Kerberos specific options:
-A,
-PN or
-PO,
-x,
-f or
-F, and
-k realm. Some of these options (
-A,
-x,
-PN or
-PO, and
-f or
-F) can
also be specified in the
[appdefaults] section of
krb5.conf(5). The
usage of these options and the expected behavior is discussed in the
OPTIONS section below. If Kerberos authentication is used,
authorization to the account is controlled through rules in
krb5_auth_rules(7). If this authorization fails, fallback to normal
rlogin using
rhosts occurs only if the
-PO option is used explicitly
on the command line or is specified in
krb5.conf(5). Also notice that
the
-PN or
-PO,
-x,
-f or
-F, and
-k realm options are just supersets
of the
-A option.
The remote terminal type is the same as your local terminal type, as
given in your environment
TERM variable. The terminal or window size
is also copied to the remote system if the server supports the
option. Changes in size are reflected as well. All echoing takes
place at the remote site, so that (except for delays) the remote
login is transparent. Flow control using Control-S and Control-Q and
flushing of input and output on interrupts are handled properly.
OPTIONS
The following options are supported:
-8 Passes eight-bit data across the net instead of seven-
bit data.
-a Forces the remote machine to ask for a password by
sending a null local username.
-A Explicitly enables Kerberos authentication and trusts
the
.k5login file for access-control. If the
authorization check by
in.rlogind(8) on the server-
side succeeds and if the
.k5login file permits access,
the user is allowed to login without supplying a
password.
-ec Specifies a different escape character,
c, for the
line used to disconnect from the remote host.
-E Stops any character from being recognized as an escape
character.
-f Forwards a copy of the local credentials (Kerberos
Ticket Granting Ticket) to the remote system. This is
a non-forwardable ticket granting ticket. You must
forward a ticket granting ticket if you need to
authenticate yourself to other Kerberized network
services on the remote host. An example is if your
home directory on the remote host is
NFS mounted via
Kerberos V5. If your local credentials are not
forwarded in this case, you can not access your home
directory. This option is mutually exclusive with the
-F option.
-F Forwards a forwardable copy of the local credentials
(Kerberos Ticket Granting Ticket) to the remote
system. The
-F option provides a superset of the
functionality offered by the
-f option. For example,
with the
-f option, after you connected to the remote
host, any attempt to invoke
/usr/bin/ftp,
/usr/bin/telnet,
/usr/bin/rlogin, or
/usr/bin/rsh with
the
-f or
-F options would fail. Thus, you would be
unable to push your single network sign on trust
beyond one system. This option is mutually exclusive
with the
-f option.
-k realm Causes
rlogin to obtain tickets for the remote host in
realm instead of the remote host's realm as determined
by
krb5.conf(5).
-K This option explicitly disables Kerberos
authentication. It can be used to override the
autologin variable in
krb5.conf(5).
-l username Specifies a different
username for the remote login.
If you do not use this option, the remote username
used is the same as your local username.
-L Allows the rlogin session to be run in "
litout" mode.
-PN -PO Explicitly requests the new (
-PN) or old (
-PO) version
of the Kerberos `
rcmd' protocol. The new protocol
avoids many security problems prevalent in the old one
and is considered much more secure, but is not
interoperable with older (MIT/SEAM) servers. The new
protocol is used by default, unless explicitly
specified using these options or by using
krb5.conf(5). If Kerberos authorization fails when
using the old `
rcmd' protocol, there is fallback to
regular, non-kerberized
rlogin. This is not the case
when the new, more secure `
rcmd' protocol is used.
-x Turns on
DES encryption for all data passed through
the rlogin session. This reduces response time and
increases
CPU utilization.
Escape Sequences
Lines that you type which start with the tilde character (
~) are
"escape sequences." The escape character can be changed using the
-e option.
~. Disconnects from the remote host. This is not the same as a
logout, because the local host breaks the connection with
no warning to the remote end.
~susp Suspends the login session, but only if you are using a
shell with Job Control.
susp is your "suspend" character,
usually Control-Z. See
tty(1).
~dsusp Suspends the input half of the login, but output is still
able to be seen (only if you are using a shell with Job
Control).
dsusp is your "deferred suspend" character,
usually Control-Y. See
tty(1).
OPERANDS
hostname The remote machine on which
rlogin establishes the remote
login session.
USAGE
For the kerberized rlogin session, each user can have a private
authorization list in a file,
.k5login, in his home directory. Each
line in this file should contain a Kerberos principal name of the
form
principal/
instance@realm. If there is a
~/.k5login file, access
is granted to the account if and only if the originating user is
authenticated to one of the principals named in the
~/.k5login file.
Otherwise, the originating user is granted access to the account if
and only if the authenticated principal name of the user can be
mapped to the local account name using the
authenticated-principal- name ->
local-user-name mapping rules. The
.k5login file (for access
control) comes into play only when Kerberos authentication is being
done.
For the non-secure rlogin session, each remote machine can have a
file named
/etc/hosts.equiv containing a list of trusted host names
with which it shares user names. Users with the same user name on
both the local and remote machine can
rlogin from the machines listed
in the remote machine's
/etc/hosts.equiv file without supplying a
password. Individual users may set up a similar private equivalence
list with the file
.rhosts in their home directories. Each line in
this file contains two names, that is, a host name and a user name,
separated by a space. An entry in a remote user's
.rhosts file
permits the user named
username who is logged into
hostname to log in
to the remote machine as the remote user without supplying a
password. If the name of the local host is not found in the
/etc/hosts.equiv file on the remote machine, and the local user name
and host name are not found in the remote user's .
rhosts file, then
the remote machine prompts for a password. Host names listed in the
/etc/hosts.equiv and
.rhosts files must be the official host names
listed in the
hosts database. Nicknames can not be used in either of
these files.
For security reasons, the
.rhosts file must be owned by either the
remote user or by root.
FILES
/etc/passwd Contains information about users' accounts.
/usr/hosts/* For
hostname version of the command.
/etc/hosts.equiv List of trusted hostnames with shared user
names.
/etc/nologin Message displayed to users attempting to login
during machine shutdown.
$HOME/.rhosts Private list of trusted hostname/username
combinations.
$HOME/.k5login File containing Kerberos principals that are
allowed access.
/etc/krb5/krb5.conf Kerberos configuration file.
/etc/hosts Hosts database.
SEE ALSO
rsh(1),
stty(1),
tty(1),
hosts(5),
hosts.equiv(5),
krb5.conf(5),
nologin(5),
attributes(7),
krb5_auth_rules(7),
in.rlogind(8)DIAGNOSTICS
The following message indicates that the machine is in the process of
being shut down and logins have been disabled:
NO LOGINS: System going down in
N minutesNOTES
When a system is listed in
hosts.equiv, its security must be as good
as local security. One insecure system listed in
hosts.equiv can
compromise the security of the entire system.
The Network Information Service (
NIS) was formerly known as Sun
Yellow Pages (
YP.) The functionality of the two remains the same.
Only the name has changed.
This implementation can only use the
TCP network service.
September 12, 2020 RLOGIN(1)
