rlogin - the legacy remote login tool
The rlogin
(remote login) program was a tool for remotely using a computer over a network. It could be used to get a command-line on a remote computer. It has since been superseded by ssh. Everyone who still has rlogin
enabled is encouraged to immediately disable it for important security reasons.
The rlogin
tool was introduced in BSD Unix in the 1980s. It was an important tool at the time, but it suffered from several shortcomings. Its security was poor, and its usability wasn't great.
Security Issues in rlogin
The main problem with rlogin was that it sent user passwords over a network in the clear, without any encryption. This meant that any attacker with access to the network could read user names and passwords from the network. It only took a few hours of programming to write the software to do this, and it was commonly done. It was called password sniffing, and it was very common in the mid 1990s.
rlogin
did support Kerberos for encryption, but at the time, Kerberos was export controlled and not widely deployed outside a few universities and government environments. Thus, in practice passwords sent using it were vulnerable.
Furthermore, rlogin
supports .rhosts
files for authentication. These files rely on IP addresses for authentication, and spoofing IP addresses is fairly easy. For example, any attacker on the local network can pretend to be any other host. In the past, these attacks could also be performed remotely due to predictable TCP sequence numbers.
Usability Issues in rlogin
The rlogin
program does not automatically set up the user's DISPLAY
environment variable for running graphical applications remotely using X11. Most researchers and power users want to run programs remotely - editing, analysis/simulation tools, etc. Especially with X terminals, such use was critically important.
SSH differed from rlogin
by setting the DISPLAY
environment variable automatically. This simple usability improvement was one of the major reasons why universities adopted SSH early on. It was just easier to use. Easier to teach to new students. Less support required. Just easier and more cost-effective for everyone.