rlogin
Legacy remote login protocol (unencrypted, obsolete)
By CMD Script Team · 4 min read · Last updated
rlogin [OPTIONS] hostOptions
| Flag | Description |
|---|---|
-l | Log in as a specific remote username instead of the local one |
-8 | Allow an 8-bit input data path (needed for some non-ASCII terminal sessions) |
-E | Disable interpreting the escape character, so it's passed through literally |
-e | Set a custom escape character instead of the default tilde (~) |
Distribution compatibility
- Ubuntu (rsh-client, legacy, not installed by default)
- Debian (rsh-client)
- Fedora (rsh package, legacy)
- Arch (AUR only)
- macOS (removed from modern releases)
What it does
rlogin ("remote login") opens an interactive terminal session on a remote host, the
way ssh does today, but it predates SSH and was designed for trusted local networks.
It authenticates either by prompting for a password in clear text, or — more
dangerously — by silently trusting the connection if the remote host's .rhosts or
/etc/hosts.equiv file lists the connecting hostname and username. Because none of
this is encrypted and host-based trust is easy to spoof, rlogin is considered
obsolete and a security liability; it's documented here so you can recognize it in
legacy systems and scripts and know to replace it with ssh.
Beginner examples
rlogin host2— attempt to log in tohost2using your current local usernamerlogin -l alice host2— log in tohost2as the useralice- Type
~.(tilde followed by a period) at the start of a line to forcibly disconnect a hung rlogin session
rlogin -l alice host2
Advanced examples
- Log in with an explicit remote username on a legacy Unix host that still runs
rlogind:rlogin -l root legacy-host - Use a custom escape character if the default tilde conflicts with content you're
sending:
rlogin -e % host2 - Disable escape-character interpretation entirely when passing through raw 8-bit data:
rlogin -8 -E host2
rlogin -l svc-account legacy-host
Common mistakes
- Assuming
rloginrequires a password every time — if.rhosts/hosts.equivtrust is configured, it can log you in with no authentication check at all beyond the claimed source host/username. - Running
rloginacross the public internet or any untrusted network, exposing credentials and session data to anyone able to sniff traffic on the path. - Confusing it with
sshbecause the interactive experience feels similar — the security model underneath is completely different and far weaker. - Leaving old
.rhostsfiles or an enabledrlogindservice around on a modern host "just in case," which reopens the exact hole SSH was created to close.
Tips
- If you find
rloginreferenced in old documentation, mentally translate it tossh— the interactive login experience it describes is whatsshprovides securely today. - Check for and remove any lingering
.rhostsfiles and disablerlogindininetd/xinetdconfigs on systems you're hardening; their mere presence is a red flag during a security audit. - Most current Linux distributions don't install the
rsh-client/rsh-serverpackages by default — ifrloginisn't found, that's expected and by design.
Best practices
- Never enable
rlogindor host-based.rhoststrust on any network that isn't fully isolated, physically controlled, and free of untrusted devices. - Treat any discovery of
rloginusage in production as a finding to remediate: disable the service and migrate the workflow tosshwith key-based auth. - When auditing legacy infrastructure, search for
.rhosts/hosts.equivfiles as part of the checklist, since their presence often accompaniesrlogin/rshusage.
Try it yourself
A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.
Real-world use cases
- Identifying and remediating
rlogin-based remote access during a security hardening pass on legacy Unix/Linux infrastructure. - Historical/educational context in networking or systems administration courses that cover the evolution from r-commands to SSH.
- Explaining, during an interview or code review, why a
.rhostsfile orrlogindprocess found on a host is a serious finding.
Common interview questions
- Why is rlogin considered a security risk? It sends all data, including any
password, unencrypted, and its host-based trust mechanism (
.rhosts/hosts.equiv) can grant access based on a spoofable hostname or IP rather than a real credential. - What replaced rlogin, and what does it fix?
sshreplaced it, encrypting the entire session and authenticating with strong credentials (passwords over an encrypted channel, or public/private key pairs) instead of host-based trust files. - What is a .rhosts file and why is it dangerous? A per-user file listing
hostnames/usernames that are trusted to log in without a password via
rlogin/rsh; it's dangerous because trust is based on claimed network identity, which can be spoofed on an untrusted network.
Frequently Asked Questions
Is rlogin safe to use today?
No. rlogin transmits the entire session, including passwords if used, in plain text, and its default authentication model relies on trusting .rhosts/hosts.equiv entries based on hostname/IP, which is easily spoofed. It has been superseded entirely by ssh.
How is rlogin different from telnet?
Both are unencrypted, but rlogin was designed specifically for Unix-to-Unix remote login and can skip password prompts entirely if the remote host trusts the connecting host/user via .rhosts, which is even riskier than telnet's explicit login prompt.
Why would rlogin still show up in documentation or old scripts?
It's part of the classic BSD r-commands suite (rlogin, rsh, rcp) that shipped on Unix systems for decades before SSH became standard, so it still appears in legacy sysadmin scripts, old textbooks, and certification material covering networking history.
What replaced rlogin?
ssh, which provides the same interactive remote-login experience but encrypts the whole session and authenticates with real credentials or public keys instead of host-based trust files.
Cheat sheet
Download a quick-reference cheat sheet for rlogin.