Rocky 8 How to Incorporate Rwhod / Rwho?

Among the services Eskimo North offers is Linux shell servers. I have recently added Rocky8 to the mix after Redhat abandoned Centos8, but I’m having difficulty getting a rwhod server to work. Under Centos I was able to install the rwhod server from fedora30 which happened to use the same version of glibc, but while it installs under Rocky, it does not listen to port 531 nor function. I tried to compile from source but there is no /usr/include/rpc/rpc.h in Rocky Linux. Any hint on how to get a working rwho and rwhod on Rocky8 would be much appreciated.

What is an rwhod server?

Can you be a bit more specific about this? Does it crash? Is there a systemd service? Does that one start? Do the logs provide any reason as to what might be going on?

There is a systemd service unit, it was enabled and started. It does not crash, it does create the /var/spool/rwho directory but it does not listen to port 531 and communicate with other rwho servers on the internet.

However, this was the version from Fedora 30, I decided to try some other versions and FC32, the version from Fedora 32 is also compatible with the libraries on Rocky8, but moreover it works, so this issue is resolved.

1 Like

Rwho is “Remote Who”, it is part of the ruptime package. Ruptime allows you to see the uptime of all of the hosts on your local network. Rwho allows you to see who is logged into all those hosts, here is an example from my network:

/home/nanook >rwho -a
bbrace ubuntu:pts/5 Jun 9 10:16 3:31
billb debian:pts/7 Jun 8 14:02 23:29
bressler ubuntu:pts/3 Jun 4 16:25 38:21
dca ubuntu:pts/6 Jun 9 10:46 :49
dld debian:pts/4 Jun 9 13:58 :19
dld debian:pts/8 Jun 9 13:58 :16
jimo mint:pts/0 Jun 1 07:10 99:59
mall-net centos7:pts/1 May 29 23:37 :53
markjr ubuntu:pts/2 Jun 7 16:46 7:01
milan rocky8:pts/0 Jun 9 10:14 :25
nanook radius:pts/0 Jun 9 01:59 12:18
nanook radius:pts/1 Jun 9 02:00 12:17
nanook ubuntu:pts/0 Jun 9 14:01 :12
nanook ubuntu:pts/1 Jun 9 14:15 :03
noelt debian:pts/10 Jun 9 08:22 5:55
seldon debian:pts/3 May 20 12:28 1:08
seldon zorin:pts/1 May 21 16:42 1:09
seldon zorin:pts/3 May 21 16:42 1:11
seldon zorin:pts/4 May 21 16:42 1:11
seldon zorin:pts/5 May 21 16:42 1:09
seldon zorin:pts/6 May 21 16:42 8:58
seldon zorin:pts/7 May 21 16:42 99:59
stosh debian:pts/1 May 28 22:19 :51
stosh debian:pts/2 May 29 06:58 1:00
xyzzx debian:pts/5 Jun 6 06:41 79:36

We have shell servers for customers of various Linux distros, so you see the user login, the machine name, the tty if they have one, and the time they logged in.

This information is gathered from /var/run/utmp.

I do use

ansible all -a 'uptime -p'
ansible all -a 'loginctl'

but yours is more compact.

Ansible also requires you provide it a list of hosts, where as rwho / ruptime is a broadcast protocol.

True. Then again, you are managing all your hosts, so you in some fashion do have a list?
Configuration management systems, like Ansible, are IMHO very convenient but taking one into use is naturally not without initial cost (time and effort).

I have a lot of users from the old days, they are used to tools like rwhod, I try my best to provide them with the things they want because if I don’t, their willingness to pay for services decreases substantially.

1 Like

In terms of client/server. Who listens on 531, just one server, or all of them? Do you have to install the package on every server or just one?

How does it access /var/run/utmp on each machine (security risk?)

Does the source code cover both Rwhod and Rwho? Where is it?

It is a broadcast protocol so works only over the local LAN and as such there is no reason NOT to have port 531 firewalled from outside the local LAN. If a machine can’t listen to port 531, then that machine isn’t detected by others on the local LAN.

The fact that the protocol is over 30 years old means probably most nasty bugs have been squashed, and modern Linux kernel based security such as selinux or apparmor or tomoyo can be used to restrict it’s access to just /var/spool/rwho.

As to source packages, you can download from Fedora or Debian based repos, or from, or you can download the freebsd version from github CoCalc -- rwhod, and there is also a shell script version on github but personally from a security standpoint I would not feel comfortable with that.

The server that keeps the database that the rwho(1) and ruptime(1) programmes use is called the rwhod utility.

1 Like

Um no, this is not how rwho / rwhod works, EVERY SERVER keeps a private copy in /var/spool/rwho.

Is selinux enabled, and any violations relating to port 531?

I haven’t seen any BUT I also have not done a re-lable since installing the program so selinux is probably at this point unaware of it’s existence.

You can run:


and see if it shows permissive, enforced or disabled. You can always do:

setenforce 0

to put it in permissive mode, if in enforced at the minute, and then at least it won’t block it from running, but will give info in the logs of the violation. So then attempt to run the daemon and see if port is listening after this.

OK, but what are they using as the source, are they using the freebsd version? When you say you built it from source, which exact source did you use?

Selinux is in enforcement mode, but since it hasn’t been re-indexed since rwhod was installed, I doubt it knows about it. It is not terribly important since it is a broadcast protocol that works only on the local LAN and the non-broadcast port (513) is firewalled from the outside and only visible to internal machines.

I tried to build from source using the Centos7 version. It failed because it needs /usr/include/rwho/rwho.h which is not present on Rocky8.

Then I installed the fedora30 version, because it used compatible libs, but it did not work.

Then I tried the fedora 32 version, it worked, I installed the rpm package obtained from, so did not compile this from source.

I believe that Rocky 8 is based from Fedora 32 (unless I’m mistaken, but I’m pretty sure I saw info posted here or on mattermost that says that). That would most likely explain why it works.