rwho

The "rwho" protocol provides a simple scheme for listing UNIX machines on the local segment, and who is logged onto those machines. Each UNIX host runs a daemon (usually "in.rwhod" or "rwhod") that both periodically broadcasts its information, as well as listens for other machine's broadcasts. Each machine then keeps a list of active machines and logged on users.

This presents a security risk for network managers, because it exposes machine names as well as user names. The 'rwhod' service should be disabled on secure machines.

When a user types the command "rwho" at the command line, they get a list that looks something like:

smaug           up 13 days, 21:49,    load average: 0.00, 0.00, 0.01
frodo           up 23 days, 10:23,    load average: 0.00, 0.01, 0.02

The broadcast from each machine is a UDP packet sent to port 513. The packet looks like:

version type fill send time receive time host name 32-bytes load avg, last 15-min load avg, last 10-min load avg, last 5-min boot time User Records (up to 1024) input line user name login time

• Following this header are any number of records (up to 1000) of the indicated format (input terminal line, user name, and when they logged in)
• Timestamps are all in 'time_t' (number of seconds since 1970-01-01 GMT).
• Load averages are the number of concurrently running programs, averaged over the three specified intervals. A load average of 0.1 means the system isn't really being used, a load average of 1.0 means the system is probably being used by a single process, or that a process has hung.
• Broadcasts are sent roughly ever 3 minutes. If a machine has been silent for more than 11 minutes, then listening machines drop the machine from their table.

RESOURCES Books FAQs Intro News Lists Notes SEARCH this section advICE