The rlogin (remote login) program was a tool for remotely using a computer over a network. It could be used to get a command line on a remote computer. SSH has since superseded it. Everyone who still has rlogin enabled is encouraged to disable it for important security reasons immediately.
The rlogin tool was introduced in BSD Unix in the 1980s. It was an important tool at the time but suffered several shortcomings. Its security was poor, and its usability wasn’t great.
Security Issues in rlogin
The main problem with rlogin was that it sent user passwords over a network in the clear without encryption. This meant that any attacker with access to the network could read user names and passwords from the network. It only took a few hours of programming to write the software to do this, and it was commonly done. It was called password sniffing, which was very common in the mid-1990s.
rlogin did support Kerberos for encryption, but at the time, Kerberos was export-controlled and not widely deployed outside a few universities and government environments. Thus, in practice, passwords sent using it were vulnerable.
Furthermore, rlogin supports .rhosts files for authentication. These files rely on IP addresses for authentication; spoofing IP addresses is fairly easy. For example, any attacker on the local network can pretend to be any other host. In the past, these attacks could also be performed remotely due to predictable TCP sequence numbers.
Usability Issues in rlogin
The rlogin program does not automatically set up the user’s DISPLAY environment variable for running graphical applications remotely using X11. Most researchers and power users want to run programs remotely – editing, analysis/simulation tools, etc. Especially with X terminals, such use was critically important.
SSH differed from rlogin by setting the DISPLAY environment variable automatically. This simple usability improvement was one of the major reasons why universities adopted SSH early on. It was just easier to use. Easier to teach to new students. Less support is required. Just easier and more cost-effective for everyone.
