klogind man page on SuSE

Man page or keyword search:  
man Server   14857 pages
apropos Keyword Search (all sections)
Output format
SuSE logo
[printable version]

KLOGIND(8)							    KLOGIND(8)

NAME
       klogind - remote login server

SYNOPSIS
       klogind	[  -kr54cpPef  ] [[ -w[ip|maxhostlen[,[no]striplocal ]] ] [ -D
       port ]

DESCRIPTION
       Klogind is the server for the rlogin(1) program.	 The server  is	 based
       on rlogind(8) but uses Kerberos authentication.

       The klogind server is invoked by inetd(8) when it receives a connection
       on the port indicated in /etc/inetd.conf.   A  typical  /etc/inetd.conf
       configuration line for klogind might be:

       klogin stream tcp nowait root /usr/lib/mit/sbin/klogind klogind -e5c

       When  a	service	 request is received, the following protocol is initi‐
       ated:

       1)     Check authentication.

       2)     Check authorization via the access-control  files	 .k5login  and
	      .klogin in the user's home directory.

       3)     Prompt  for  password  if	 any checks fail and the -p option was
	      supplied.

       If the authentication succeeds, login the user by calling the  accompa‐
       nying   login.krb5  or  /bin/login,  according  to  the	definition  of
       DO_NOT_USE_K_LOGIN.

       The configuration of klogind is done by command line  arguments	passed
       by inetd.  The options are:

       -5	 Allow	Kerberos  V5  authentication  with the .k5login access
		 control file to be trusted.  If this authentication system is
		 used  by  the	client	and the authorization check is passed,
		 then the user is allowed to log  in.	If  the	 user  has  no
		 .k5login file, the login will be authorized if the results of
		 krb5_aname_to_localname conversion matches the account	 name.
		 Unless special rules are configured, this will be true if and
		 only if the Kerberos principal of the connecting user	is  in
		 the default local realm and the principal portion matches the
		 account name.

       -4	 Allow Kerberos V4 authentication with the .klogin access con‐
		 trol  file  to	 be trusted.  If this authentication system is
		 used by the client and the  authorization  check  is  passed,
		 then the user is allowed to log in.

       -k	 Allow	Kerberos  V5 and Kerberos V4 as acceptable authentica‐
		 tion mechanisms.  This is the same as including -4 and -5.

       -p
		  If all other authorization checks fail, prompt the user  for
		 a  password  If this option is not included, access is denied
		 without successful authentication and authorization using one
		 of the previous mechanisms.

       -P	 Prompt	 the user for a password.  If the -P option is passed,
		 then the password  is	verified  in  addition	to  all	 other
		 checks.

       -e	 Create an encrypted session.

       -c	 Require Kerberos V5 clients to present a cryptographic check‐
		 sum of initial connection information like the	 name  of  the
		 user  that  the  client  is  trying  to access in the initial
		 authenticator.	 This checksum provides additionl security  by
		 preventing  an	 attacker from changing the initial connection
		 information.  To benefit from this security, only Kerberos V5
		 should	 be  trusted; Kerberos V4 and rhosts authentication do
		 not include this checksum.   If  this	option	is  specified,
		 older	Kerberos V5 clients that do not send a checksum in the
		 authenticator will  not  be  able  to	authenticate  to  this
		 server.   This	 option	 is  mutually  exclusive  with	the -i
		 option.

		      If neither the  -c  or  -i  options  are	specified,then
		 checksums  are validated if presented.	 Since it is difficult
		 to remove a checksum from an authenticator without making the
		 authenticator invalid, this default mode is almost as signif‐
		 icant of a security improvement as  -c	 if  new  clients  are
		 used.	 It has the additional advantage of backwards compata‐
		 bility with some clients.  Unfortunately, clients before Ker‐
		 beros V5, Beta5, generate invalid checksums; if these clients
		 are used, the -i option must be used.

       -i	 Ignore authenticator  checksums  if  provided.	  This	option
		 ignore	 authenticator checksusm presented by current Kerberos
		 clients to protect initial connection information; it is  the
		 opposite  of  -c.  This option is provided because some older
		 clients--particularly clients predating the release  of  Ker‐
		 beros	V5 Beta5 (May 1995)--present bogus checksums that pre‐
		 vent Kerberos authentication from succeeding in  the  default
		 mode.

       The parent of the login process manipulates the master side of the pse‐
       duo terminal, operating as an intermediary between  the	login  process
       and the client instance of the rlogin(1) program.  In normal operation,
       the packet protocol described in pty(4) is  invoked  to	provide	 ^S/^Q
       type facilities and propagate interrupt signals to the remote programs.
       The login process propagates the client terminal's baud rate and termi‐
       nal  type,  as  found  in the environment variable, ``TERM''; see envi‐
       ron(7).	The screen or window size of the terminal  is  requested  from
       the  client,  and window size changes from the client are propagated to
       the pseudo terminal.

       Klogind supports the following options to control the form of the host‐
       name passed to login(1):

       -w [ip|maxhostlen[,[no]striplocal]]
	      Controls	the  form  of  the remote hostname passed to login(1).
	      Specifying ip results in the numeric  IP	address	 always	 being
	      passed  to  login(1).  Specifying a number, maxhostlen, sets the
	      maximum length of the hostname passed to login(1) before it will
	      be passed as a numeric IP address.  If maxhostlen is 0, then the
	      system default, as determined by the utmp or  utmpx  structures,
	      is used.	The nostriplocal and striplocal options, which must be
	      preceded by a comma, control  whether  or	 not  the  local  host
	      domain  is  stripped  from the remote hostname.  By default, the
	      equivalent of striplocal is in effect.

       Klogind supports five options which are used for testing purposes:

       -S keytab Set the keytab file to use.

       -M realm	 Set the Kerberos realm to use.

       -L login	 Set the login program to use.	This option only has an effect
		 if  DO_NOT_USE_K_LOGIN	 was not defined when klogind was com‐
		 piled.

       -D port	 Run in standalone mode, listening on port.  The  daemon  will
		 exit after one connection and will not background itself.

       -f	 Allows	 for  standalone  daemon  operation.   A  new child is
		 started for each incoming connection and waits for it to fin‐
		 ish before accepting the next connection.  This automagically
		 figures out which port to bind to if no port is specified.

DIAGNOSTICS
       All diagnostic messages are returned on the connection associated  with
       the  stderr,  after which any network connections are closed.  An error
       is indicated by a leading byte with a value of 1.

       ``Try again.''
       A fork by the server failed.

       ``/bin/sh: ...''
       The user's login shell could not be started.

SEE ALSO
       rlogind(8), rlogin(1)

BUGS
       A more extensible protocol should be used.

								    KLOGIND(8)
[top]

List of man pages available for SuSE

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net