Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!decwrl!shelby!kolk
From: kolk@shelby.Stanford.EDU (Dan Kolkowitz)
Newsgroups: comp.protocols.kerberos
Subject: Re: "kerberized" rlogin
Keywords: rlogin
Message-ID: <125@shelby.Stanford.EDU>
Date: 27 Mar 89 17:34:44 GMT
References: <231@ryn.DEC.COM>
Reply-To: kolk@shelby.stanford.edu (Dan Kolkowitz)
Organization: Stanford University
Lines: 22


		I'm having trouble getting the "kerberized" rlogin to function
	between two of our systems.  I'm able  to  obtain  a  ticket  granting 
	ticket from the server, but when I try to make use  of it with rlogin,
	I get:
	
		rcmd: socket: Permission denied
		rlogin: Kerberos rcmd failed: rcmd protocol failure.
		trying normal rlogin (/usr/ucb/rlogin.ucb)
	
		What have I forgotten to do?

My bet is that you've forgotten to make rlogin setuid root (owned by root
and permission 4755, or something like that).  rlogin cannot create a secure
socket since it is not running as root.  This seems to be an example of
a clash between kerberos authentication and Unix authentication--the demand
for a secure socket number (between 512 and 1024) is rlogin's proof that 
it is not a forged connection.  Since the authentication of the user would
obviously supercede this check it seems to me that this requirement for 
klogin could be removed (its always nice to get rid of another setuid program).

Dan