RLOGIN(1) User Commands RLOGIN(1)
NAME
rlogin - remote login
SYNOPSIS
rlogin [
-8EL] [
-ec ] [
-A] [
-K] [
-x] [
-PN |
-PO] [
-f |
-F] [
-a]
[
-l username] [
-k realm]
hostnameDESCRIPTION
The
rlogin utility establishes a remote login session from your terminal
to the remote machine named
hostname. The user can choose to kerberize
the rlogin session using Kerberos V5 and also protect the data being
transferred.
Hostnames are listed in the
hosts database, which can be contained in the
/etc/hosts file, the Network Information Service (
NIS)
hosts map, the
Internet domain name server, or a combination of these. Each host has one
official name (the first name in the database entry), and optionally one
or more nicknames. Either official hostnames or nicknames can be
specified in
hostname.
The user can opt for a secure rlogin session which uses Kerberos V5 for
authentication. Encryption of the session data is also possible. The
rlogin session can be kerberized using any of the following Kerberos
specific options:
-A,
-PN or
-PO,
-x,
-f or
-F, and
-k realm. Some of
these options (
-A,
-x,
-PN or
-PO, and
-f or
-F) can also be specified in
the
[appdefaults] section of
krb5.conf(5). The usage of these options and
the expected behavior is discussed in the OPTIONS section below. If
Kerberos authentication is used, authorization to the account is
controlled through rules in
krb5_auth_rules(7). If this authorization
fails, fallback to normal
rlogin using
rhosts occurs only if the
-PO option is used explicitly on the command line or is specified in
krb5.conf(5). Also notice that the
-PN or
-PO,
-x,
-f or
-F, and
-k realm options are just supersets of the
-A option.
The remote terminal type is the same as your local terminal type, as
given in your environment
TERM variable. The terminal or window size is
also copied to the remote system if the server supports the option.
Changes in size are reflected as well. All echoing takes place at the
remote site, so that (except for delays) the remote login is transparent.
Flow control using Control-S and Control-Q and flushing of input and
output on interrupts are handled properly.
OPTIONS
The following options are supported:
-8 Passes eight-bit data across the net instead of seven-bit
data.
-a Forces the remote machine to ask for a password by sending
a null local username.
-A Explicitly enables Kerberos authentication and trusts the
.k5login file for access-control. If the authorization
check by
in.rlogind(8) on the server-side succeeds and if
the
.k5login file permits access, the user is allowed to
login without supplying a password.
-ec Specifies a different escape character,
c, for the line
used to disconnect from the remote host.
-E Stops any character from being recognized as an escape
character.
-f Forwards a copy of the local credentials (Kerberos Ticket
Granting Ticket) to the remote system. This is a non-
forwardable ticket granting ticket. You must forward a
ticket granting ticket if you need to authenticate
yourself to other Kerberized network services on the
remote host. An example is if your home directory on the
remote host is
NFS mounted via Kerberos V5. If your local
credentials are not forwarded in this case, you can not
access your home directory. This option is mutually
exclusive with the
-F option.
-F Forwards a forwardable copy of the local credentials
(Kerberos Ticket Granting Ticket) to the remote system.
The
-F option provides a superset of the functionality
offered by the
-f option. For example, with the
-f option,
after you connected to the remote host, any attempt to
invoke
/usr/bin/ftp,
/usr/bin/telnet,
/usr/bin/rlogin, or
/usr/bin/rsh with the
-f or
-F options would fail. Thus,
you would be unable to push your single network sign on
trust beyond one system. This option is mutually
exclusive with the
-f option.
-k realm Causes
rlogin to obtain tickets for the remote host in
realm instead of the remote host's realm as determined by
krb5.conf(5).
-K This option explicitly disables Kerberos authentication.
It can be used to override the
autologin variable in
krb5.conf(5).
-l username Specifies a different
username for the remote login. If
you do not use this option, the remote username used is
the same as your local username.
-L Allows the rlogin session to be run in "
litout" mode.
-PN -PO Explicitly requests the new (
-PN) or old (
-PO) version of
the Kerberos `
rcmd' protocol. The new protocol avoids many
security problems prevalent in the old one and is
considered much more secure, but is not interoperable with
older (MIT/SEAM) servers. The new protocol is used by
default, unless explicitly specified using these options
or by using
krb5.conf(5). If Kerberos authorization fails
when using the old `
rcmd' protocol, there is fallback to
regular, non-kerberized
rlogin. This is not the case when
the new, more secure `
rcmd' protocol is used.
-x Turns on
DES encryption for all data passed through the
rlogin session. This reduces response time and increases
CPU utilization.
Escape Sequences
Lines that you type which start with the tilde character (
~) are "escape
sequences." The escape character can be changed using the
-e option.
~. Disconnects from the remote host. This is not the same as a
logout, because the local host breaks the connection with no
warning to the remote end.
~susp Suspends the login session, but only if you are using a shell
with Job Control.
susp is your "suspend" character, usually
Control-Z. See
tty(1).
~dsusp Suspends the input half of the login, but output is still able
to be seen (only if you are using a shell with Job Control).
dsusp is your "deferred suspend" character, usually Control-Y.
See
tty(1).
OPERANDS
hostname The remote machine on which
rlogin establishes the remote
login session.
USAGE
For the kerberized rlogin session, each user can have a private
authorization list in a file,
.k5login, in his home directory. Each line
in this file should contain a Kerberos principal name of the form
principal/
instance@realm. If there is a
~/.k5login file, access is
granted to the account if and only if the originating user is
authenticated to one of the principals named in the
~/.k5login file.
Otherwise, the originating user is granted access to the account if and
only if the authenticated principal name of the user can be mapped to the
local account name using the
authenticated-principal-name ->
local-user- name mapping rules. The
.k5login file (for access control) comes into
play only when Kerberos authentication is being done.
For the non-secure rlogin session, each remote machine can have a file
named
/etc/hosts.equiv containing a list of trusted host names with which
it shares user names. Users with the same user name on both the local and
remote machine can
rlogin from the machines listed in the remote
machine's
/etc/hosts.equiv file without supplying a password. Individual
users may set up a similar private equivalence list with the file
.rhosts in their home directories. Each line in this file contains two names,
that is, a host name and a user name, separated by a space. An entry in a
remote user's
.rhosts file permits the user named
username who is logged
into
hostname to log in to the remote machine as the remote user without
supplying a password. If the name of the local host is not found in the
/etc/hosts.equiv file on the remote machine, and the local user name and
host name are not found in the remote user's .
rhosts file, then the
remote machine prompts for a password. Host names listed in the
/etc/hosts.equiv and
.rhosts files must be the official host names listed
in the
hosts database. Nicknames can not be used in either of these
files.
For security reasons, the
.rhosts file must be owned by either the remote
user or by root.
FILES
/etc/passwd Contains information about users' accounts.
/usr/hosts/* For
hostname version of the command.
/etc/hosts.equiv List of trusted hostnames with shared user names.
/etc/nologin Message displayed to users attempting to login
during machine shutdown.
$HOME/.rhosts Private list of trusted hostname/username
combinations.
$HOME/.k5login File containing Kerberos principals that are
allowed access.
/etc/krb5/krb5.conf Kerberos configuration file.
/etc/hosts Hosts database.
SEE ALSO
rsh(1),
stty(1),
tty(1),
hosts(5),
hosts.equiv(5),
krb5.conf(5),
nologin(5),
attributes(7),
krb5_auth_rules(7),
in.rlogind(8)DIAGNOSTICS
The following message indicates that the machine is in the process of
being shut down and logins have been disabled:
NO LOGINS: System going down in
N minutesNOTES
When a system is listed in
hosts.equiv, its security must be as good as
local security. One insecure system listed in
hosts.equiv can compromise
the security of the entire system.
The Network Information Service (
NIS) was formerly known as Sun Yellow
Pages (
YP.) The functionality of the two remains the same. Only the name
has changed.
This implementation can only use the
TCP network service.
September 12, 2020
RLOGIN(1)