rlogind - Validate rlogin requests

Format

rlogind [-a] [-d] [-l] [-L] [-m] [-n]

Description

Warning: The rlogin daemon is by nature unsecure because it requires user authentication that uses cleartext sockets. A remote attacker can exploit this vulnerability to sniff logins and passwords. Do not use this daemon if possible.

The rlogind program is the server for the remote login command rlogin commonly found on UNIX systems. It validates the remote login request and verifies the password or password phrase of the target user. It starts a z/OS shell for the user and handles conversion between ASCII and EBCDIC code pages as data flows between the workstation and the shell.

The rlogind program is given control via an execl() issued by the inetd daemon.

Rule: Always invoke rlogind from inetd through the /etc/inetd.conf file. Do not invoke it from the shell. inetd sets up certain files and sockets that are needed by rlogind. Invoking rlogind directly gives unpredictable results.

Options

-a
Checks the requester's Internet address against the local gethostbyname() file. This option has no effect because the rlogin program never uses the .rhosts file for authentication.
-d
Enables the debugging option. Informational messages on the rlogin process are written to the system log.
-l
The .rhosts file for authentication is not used. This option has no effect because the rlogin program never uses the .rhosts file for authentication.
-L
Allows the calling of a ruserok exit that lives in /usr/sbin. A return code zero allows bypassing of password or password phrase checking. The installation is responsible for providing the ruserok exit.
Note: IBM® does not recommend using this capability. Using this capability might open security holes, allowing unauthorized users to access and modify files and MVS™ data sets. Even with the most rigorous checking in the ruserok exit, it is important to keep in mind the well-known IP spoofing attacks that make it impossible to accurately identify the remote user's identity.

Do not specify the -L flag. APARS will not be accepted for security problems that are caused by the use of this option.

When the -L flag is specified, /usr/sbin/ruserok is called, passing:
  • The name of the program, /usr/sbin/ruserok.
  • hostname or hostname.domainname of the client.
  • A superuser flag, an integer set to 1 if the user wants to be superuser.
  • Client user name, the user name on the client system.
  • Server user name, the user name on the server's system.
If the ruserok program exits with a zero return value, the user is allowed to login. Otherwise, normal password or password phrase checking is done.
Note: If the FACILITY class is active, and BPX.DAEMON is defined, then the user names for both inetd and rlogind must be permitted to BPX.DAEMON. The ruserok program (as well as inetd and rlogind) must be marked program-controlled.
-m
Enables the multiprocessing support in the user's address space. Using the -m option uses fewer system resources and provides faster performance for the user.

If you do not specify -m, each rlogin request causes two MVS address spaces to be consumed. The first address space is the rlogind code, which provides the user connection to the socket, and the second is the user's shell. In this mode, all shell functions behave in a manner conformant to the standards.

If you specify -m, the rlogin process and the shell process share the address space by using z/OS UNIX System Services support for multiple processes in an address space. Using -m has the potential of doubling the number of users who are supported via rlogin.
Note: If you issued rlogind with the -m option, the shell process cannot execute a setuid program that replaces the shell. This causes functions like newgrp to fail. In this situation, you might want to create a secondary shell that runs in its own address space.
-n
Disables the transport-level keepalive messages. The messages are enabled by default.

Usage notes

  1. The rlogind program normally converts all error and warning messages to ASCII and then sends them to the originating terminal.

    However, when the C runtime library writes error messages, the rlogind program cannot intercept them to convert the messages to ASCII. Therefore, these messages are written to the file /tmp/rlogind.stderr or /tmp/rlogind2.stderr.

    These two files must be predefined in /tmp, and owned by the superuser (UID 0). The files should have permissions of rw-rw-rw or rw--w--w-. In addition, the sticky bit must be set for the /tmp directory so that these files (and other files in /tmp) cannot be removed except by the files' owners or the superuser.

  2. rlogind is not affected by the locale information that is specified in locale-related environment variables.

Related information

inetd