rlogin [-8EL] [-ec ] [-A] [-K] [-x] [-PN | -PO] [-f | -F] [-a]
[-l username] [-k realm] hostname
The rlogin utility establishes a remote login session from your terminal
to the remote machine named hostname. The user can choose to kerberize
the rlogin session using Kerberos V5 and also protect the data being
Hostnames are listed in the hosts database, which can be
contained in the /etc/hosts file, the Network Information Service
(NIS) hosts map, the Internet domain name server, or a
combination of these. Each host has one official name (the first name in the
database entry), and optionally one or more nicknames. Either official
hostnames or nicknames can be specified in hostname.
The user can opt for a secure rlogin session which uses Kerberos
V5 for authentication. Encryption of the session data is also possible. The
rlogin session can be kerberized using any of the following Kerberos
specific options: -A, -PN or -PO, -x, -f
or -F, and -k realm. Some of these options (-A,
-x, -PN or -PO, and -f or -F) can also be
specified in the [appdefaults] section of krb5.conf(5). The
usage of these options and the expected behavior is discussed in the OPTIONS
section below. If Kerberos authentication is used, authorization to the
account is controlled through rules in krb5_auth_rules(7). If this
authorization fails, fallback to normal rlogin using rhosts
occurs only if the -PO option is used explicitly on the command line
or is specified in krb5.conf(5). Also notice that the -PN or
-PO, -x, -f or -F, and -k realm
options are just supersets of the -A option.
The remote terminal type is the same as your local terminal type,
as given in your environment TERM variable. The terminal or window
size is also copied to the remote system if the server supports the option.
Changes in size are reflected as well. All echoing takes place at the remote
site, so that (except for delays) the remote login is transparent. Flow
control using Control-S and Control-Q and flushing of input and output on
interrupts are handled properly.
The following options are supported:
Passes eight-bit data across the net instead of seven-bit
Forces the remote machine to ask for a password by
sending a null local username.
Explicitly enables Kerberos authentication and trusts the
file for access-control. If the authorization check by
on the server-side succeeds and if the .k5login
file permits access, the user is allowed to login without supplying a
Specifies a different escape character, c, for the
line used to disconnect from the remote host.
Stops any character from being recognized as an escape
Forwards a copy of the local credentials (Kerberos Ticket
Granting Ticket) to the remote system. This is a non-forwardable ticket
granting ticket. You must forward a ticket granting ticket if you need to
authenticate yourself to other Kerberized network services on the remote host.
An example is if your home directory on the remote host is NFS mounted
via Kerberos V5. If your local credentials are not forwarded in this case, you
can not access your home directory. This option is mutually exclusive with the
Forwards a forwardable copy of the local credentials
(Kerberos Ticket Granting Ticket) to the remote system. The -F option
provides a superset of the functionality offered by the -f option. For
example, with the -f option, after you connected to the remote host,
any attempt to invoke /usr/bin/ftp, /usr/bin/telnet,
/usr/bin/rlogin, or /usr/bin/rsh with the -f or -F
options would fail. Thus, you would be unable to push your single network sign
on trust beyond one system. This option is mutually exclusive with the
to obtain tickets for the remote
host in realm
instead of the remote host's realm as determined by
This option explicitly disables Kerberos authentication.
It can be used to override the autologin
Specifies a different username for the remote
login. If you do not use this option, the remote username used is the same as
your local username.
Allows the rlogin session to be run in
Explicitly requests the new (-PN
) or old
) version of the Kerberos `rcmd
' protocol. The new protocol
avoids many security problems prevalent in the old one and is considered much
more secure, but is not interoperable with older (MIT/SEAM) servers. The new
protocol is used by default, unless explicitly specified using these options
or by using krb5.conf(5)
. If Kerberos authorization fails when using
the old `rcmd
' protocol, there is fallback to regular, non-kerberized
. This is not the case when the new, more secure `rcmd
protocol is used.
Turns on DES encryption for all data passed
through the rlogin session. This reduces response time and increases
Lines that you type which start with the tilde character (~) are
"escape sequences." The escape character can be changed using the
Disconnects from the remote host. This is not the same as
a logout, because the local host breaks the connection with no warning to the
Suspends the login session, but only if you are using a
shell with Job Control. susp
is your "suspend" character,
usually Control-Z. See tty(1)
Suspends the input half of the login, but output is still
able to be seen (only if you are using a shell with Job Control). dsusp
is your "deferred suspend" character, usually Control-Y. See
The remote machine on which rlogin establishes the
remote login session.
For the kerberized rlogin session, each user can have a private authorization
list in a file, .k5login, in his home directory. Each line in this file
should contain a Kerberos principal name of the form
principal/instance@realm. If there is a ~/.k5login file,
access is granted to the account if and only if the originating user is
authenticated to one of the principals named in the ~/.k5login file.
Otherwise, the originating user is granted access to the account if and only
if the authenticated principal name of the user can be mapped to the local
account name using the authenticated-principal-name →
local-user-name mapping rules. The .k5login file (for access
control) comes into play only when Kerberos authentication is being done.
For the non-secure rlogin session, each remote machine can have a
file named /etc/hosts.equiv containing a list of trusted host names
with which it shares user names. Users with the same user name on both the
local and remote machine can rlogin from the machines listed in the
remote machine's /etc/hosts.equiv file without supplying a password.
Individual users may set up a similar private equivalence list with the file
.rhosts in their home directories. Each line in this file contains
two names, that is, a host name and a user name, separated by a space. An
entry in a remote user's .rhosts file permits the user named
username who is logged into hostname to log in to the remote
machine as the remote user without supplying a password. If the name of the
local host is not found in the /etc/hosts.equiv file on the remote
machine, and the local user name and host name are not found in the remote
user's .rhosts file, then the remote machine prompts for a password.
Host names listed in the /etc/hosts.equiv and .rhosts files
must be the official host names listed in the hosts database.
Nicknames can not be used in either of these files.
For security reasons, the .rhosts file must be owned by
either the remote user or by root.
Contains information about users' accounts.
For hostname version of the command.
List of trusted hostnames with shared user names.
Message displayed to users attempting to login during
Private list of trusted hostname/username
File containing Kerberos principals that are allowed
Kerberos configuration file.
The following message indicates that the machine is in the process of being shut
down and logins have been disabled:
NO LOGINS: System going down in N minutes
When a system is listed in hosts.equiv, its security must be as good as
local security. One insecure system listed in hosts.equiv can
compromise the security of the entire system.
The Network Information Service (NIS) was formerly known as
Sun Yellow Pages (YP.) The functionality of the two remains the same.
Only the name has changed.
This implementation can only use the TCP network