Provided by: krb5-rsh-server_1.4.3-5_i386 bug


       klogind - remote login server


       klogind  [  -kr54cpPef  ] [[ -w[ip|maxhostlen[,[no]striplocal ]] ] [ -D
       port ]


       Klogind is the server for the rlogin(1) program.  The server  is  based
       on rlogind(8) but uses Kerberos authentication.

       The klogind server is invoked by inetd(8) when it receives a connection
       on the port indicated in /etc/inetd.conf.   A  typical  /etc/inetd.conf
       configuration line for klogind might be:

       klogin stream tcp nowait root /usr/sbin/klogind klogind -e5c

       When   a  service  request  is  received,  the  following  protocol  is

       1)     Check authentication.

       2)     Check authorization via the access-control  files  .k5login  and
              .klogin in the user’s home directory.

       3)     Prompt  for  password  if  any checks fail and the -p option was

       If  the  authentication  succeeds,  login  the  user  by  calling   the
       accompanying  login.krb5  or /bin/login, according to the definition of

       The configuration of klogind is done by command line  arguments  passed
       by inetd.  The options are:

       -5        Allow  Kerberos  V5  authentication  with the .k5login access
                 control file to be trusted.  If this authentication system is
                 used  by  the  client  and the authorization check is passed,
                 then the user is allowed to log  in.   If  the  user  has  no
                 .k5login file, the login will be authorized if the results of
                 krb5_aname_to_localname conversion matches the account  name.
                 Unless special rules are configured, this will be true if and
                 only if the Kerberos principal of the connecting user  is  in
                 the default local realm and the principal portion matches the
                 account name.

       -4        Allow Kerberos V4  authentication  with  the  .klogin  access
                 control file to be trusted.  If this authentication system is
                 used by the client and the  authorization  check  is  passed,
                 then the user is allowed to log in.

       -k        Allow   Kerberos   V5   and   Kerberos   V4   as   acceptable
                 authentication mechanisms.  This is the same as including  -4
                 and -5.

       -p          If all other authorization checks fail, prompt the user for
                 a password If this option is not included, access  is  denied
                 without successful authentication and authorization using one
                 of the previous mechanisms.

       -P        Prompt the user for a password.  If the -P option is  passed,
                 then  the  password  is  verified  in  addition  to all other

       -e        Create an encrypted session.

       -c        Require  Kerberos  V5  clients  to  present  a  cryptographic
                 checksum  of  initial connection information like the name of
                 the user that the client is trying to access in  the  initial
                 authenticator.   This checksum provides additionl security by
                 preventing an attacker from changing the  initial  connection
                 information.  To benefit from this security, only Kerberos V5
                 should be trusted; Kerberos V4 and rhosts  authentication  do
                 not  include  this  checksum.   If  this option is specified,
                 older Kerberos V5 clients that do not send a checksum in  the
                 authenticator  will  not  be  able  to  authenticate  to this
                 server.  This  option  is  mutually  exclusive  with  the  -i

                      If  neither  the  -c  or  -i  options are specified,then
                 checksums are validated if presented.  Since it is  difficult
                 to remove a checksum from an authenticator without making the
                 authenticator  invalid,  this  default  mode  is  almost   as
                 significant  of  a  security improvement as -c if new clients
                 are used.  It  has  the  additional  advantage  of  backwards
                 compatability  with  some  clients.   Unfortunately,  clients
                 before Kerberos V5, Beta5,  generate  invalid  checksums;  if
                 these clients are used, the -i option must be used.

       -i        Ignore  authenticator  checksums  if  provided.   This option
                 ignore authenticator checksusm presented by current  Kerberos
                 clients  to protect initial connection information; it is the
                 opposite of -c.  This option is provided because  some  older
                 clients--particularly   clients   predating  the  release  of
                 Kerberos V5 Beta5 (May 1995)--present  bogus  checksums  that
                 prevent   Kerberos  authentication  from  succeeding  in  the
                 default mode.

       The parent of the login process manipulates  the  master  side  of  the
       pseduo terminal, operating as an intermediary between the login process
       and the client instance of the rlogin(1) program.  In normal operation,
       the  packet  protocol  described  in pty(4) is invoked to provide ^S/^Q
       type facilities and propagate interrupt signals to the remote programs.
       The  login  process  propagates  the  client  terminal’s  baud rate and
       terminal type, as found in  the  environment  variable,  ‘‘TERM’’;  see
       environ(7).   The  screen  or  window size of the terminal is requested
       from the client, and window size changes from the client are propagated
       to the pseudo terminal.

       Klogind  supports  the  following  options  to  control the form of the
       hostname passed to login(1):

       -w [ip|maxhostlen[,[no]striplocal]]
              Controls the form of the remote  hostname  passed  to  login(1).
              Specifying  ip  results  in  the numeric IP address always being
              passed to login(1).  Specifying a number, maxhostlen,  sets  the
              maximum length of the hostname passed to login(1) before it will
              be passed as a numeric IP address.  If maxhostlen is 0, then the
              system  default,  as determined by the utmp or utmpx structures,
              is used.  The nostriplocal and striplocal options, which must be
              preceded  by  a  comma,  control  whether  or not the local host
              domain is stripped from the remote hostname.   By  default,  the
              equivalent of striplocal is in effect.

       Klogind supports five options which are used for testing purposes:

       -S keytab Set the keytab file to use.

       -M realm  Set the Kerberos realm to use.

       -L login  Set the login program to use.  This option only has an effect
                 if  DO_NOT_USE_K_LOGIN  was  not  defined  when  klogind  was

       -D port   Run  in  standalone mode, listening on port.  The daemon will
                 exit after one connection and will not background itself.

       -f        Allows for standalone  daemon  operation.   A  new  child  is
                 started  for  each  incoming  connection  and waits for it to
                 finish  before   accepting   the   next   connection.    This
                 automagically figures out which port to bind to if no port is


       All diagnostic messages are returned on the connection associated  with
       the  stderr,  after which any network connections are closed.  An error
       is indicated by a leading byte with a value of 1.

       ‘‘Try again.’’
       A fork by the server failed.

       ‘‘/bin/sh: ...’’
       The user’s login shell could not be started.


       rlogind(8), rlogin(1)


       A more extensible protocol should be used.