>_cmd.script

rlogin

Legacy remote login protocol (unencrypted, obsolete)

Networking

By CMD Script Team · 4 min read · Last updated

SYNTAX
rlogin [OPTIONS] host

Options

Command options and flags
FlagDescription
-lLog in as a specific remote username instead of the local one
-8Allow an 8-bit input data path (needed for some non-ASCII terminal sessions)
-EDisable interpreting the escape character, so it's passed through literally
-eSet a custom escape character instead of the default tilde (~)

Distribution compatibility

  • Ubuntu (rsh-client, legacy, not installed by default)
  • Debian (rsh-client)
  • Fedora (rsh package, legacy)
  • Arch (AUR only)
  • macOS (removed from modern releases)

What it does

rlogin ("remote login") opens an interactive terminal session on a remote host, the way ssh does today, but it predates SSH and was designed for trusted local networks. It authenticates either by prompting for a password in clear text, or — more dangerously — by silently trusting the connection if the remote host's .rhosts or /etc/hosts.equiv file lists the connecting hostname and username. Because none of this is encrypted and host-based trust is easy to spoof, rlogin is considered obsolete and a security liability; it's documented here so you can recognize it in legacy systems and scripts and know to replace it with ssh.

Beginner examples

  • rlogin host2 — attempt to log in to host2 using your current local username
  • rlogin -l alice host2 — log in to host2 as the user alice
  • Type ~. (tilde followed by a period) at the start of a line to forcibly disconnect a hung rlogin session
rlogin -l alice host2

Advanced examples

  • Log in with an explicit remote username on a legacy Unix host that still runs rlogind: rlogin -l root legacy-host
  • Use a custom escape character if the default tilde conflicts with content you're sending: rlogin -e % host2
  • Disable escape-character interpretation entirely when passing through raw 8-bit data: rlogin -8 -E host2
rlogin -l svc-account legacy-host

Common mistakes

  • Assuming rlogin requires a password every time — if .rhosts/hosts.equiv trust is configured, it can log you in with no authentication check at all beyond the claimed source host/username.
  • Running rlogin across the public internet or any untrusted network, exposing credentials and session data to anyone able to sniff traffic on the path.
  • Confusing it with ssh because the interactive experience feels similar — the security model underneath is completely different and far weaker.
  • Leaving old .rhosts files or an enabled rlogind service around on a modern host "just in case," which reopens the exact hole SSH was created to close.

Tips

  • If you find rlogin referenced in old documentation, mentally translate it to ssh — the interactive login experience it describes is what ssh provides securely today.
  • Check for and remove any lingering .rhosts files and disable rlogind in inetd/ xinetd configs on systems you're hardening; their mere presence is a red flag during a security audit.
  • Most current Linux distributions don't install the rsh-client/rsh-server packages by default — if rlogin isn't found, that's expected and by design.

Best practices

  • Never enable rlogind or host-based .rhosts trust on any network that isn't fully isolated, physically controlled, and free of untrusted devices.
  • Treat any discovery of rlogin usage in production as a finding to remediate: disable the service and migrate the workflow to ssh with key-based auth.
  • When auditing legacy infrastructure, search for .rhosts/hosts.equiv files as part of the checklist, since their presence often accompanies rlogin/rsh usage.

Try it yourself

A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.

Real-world use cases

  • Identifying and remediating rlogin-based remote access during a security hardening pass on legacy Unix/Linux infrastructure.
  • Historical/educational context in networking or systems administration courses that cover the evolution from r-commands to SSH.
  • Explaining, during an interview or code review, why a .rhosts file or rlogind process found on a host is a serious finding.

Common interview questions

  • Why is rlogin considered a security risk? It sends all data, including any password, unencrypted, and its host-based trust mechanism (.rhosts/ hosts.equiv) can grant access based on a spoofable hostname or IP rather than a real credential.
  • What replaced rlogin, and what does it fix? ssh replaced it, encrypting the entire session and authenticating with strong credentials (passwords over an encrypted channel, or public/private key pairs) instead of host-based trust files.
  • What is a .rhosts file and why is it dangerous? A per-user file listing hostnames/usernames that are trusted to log in without a password via rlogin/rsh; it's dangerous because trust is based on claimed network identity, which can be spoofed on an untrusted network.

Frequently Asked Questions

Is rlogin safe to use today?

No. rlogin transmits the entire session, including passwords if used, in plain text, and its default authentication model relies on trusting .rhosts/hosts.equiv entries based on hostname/IP, which is easily spoofed. It has been superseded entirely by ssh.

How is rlogin different from telnet?

Both are unencrypted, but rlogin was designed specifically for Unix-to-Unix remote login and can skip password prompts entirely if the remote host trusts the connecting host/user via .rhosts, which is even riskier than telnet's explicit login prompt.

Why would rlogin still show up in documentation or old scripts?

It's part of the classic BSD r-commands suite (rlogin, rsh, rcp) that shipped on Unix systems for decades before SSH became standard, so it still appears in legacy sysadmin scripts, old textbooks, and certification material covering networking history.

What replaced rlogin?

ssh, which provides the same interactive remote-login experience but encrypts the whole session and authenticates with real credentials or public keys instead of host-based trust files.

Cheat sheet

Download a quick-reference cheat sheet for rlogin.