unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 hosts.equiv(4)						      hosts.equiv(4)




 NAME
      hosts.equiv, .rhosts - security files authorizing access by remote
      hosts and users on local host

 DESCRIPTION
      The /etc/hosts.equiv file and files named .rhosts found in users' home
      directories specify remote hosts and users that are "equivalent" to
      the local host or user.  Users from equivalent remote hosts are
      permitted to access a local account using rcp or remsh or to rlogin to
      the local account without supplying a password (see rcp(1), remsh(1),
      and rlogin(1)).  The security provided by hosts.equiv is implemented
      by the ruserok() library routine, (see rcmd(3N)).

      In this description, hostequiv means either the system
      /etc/hosts.equiv file or the user .rhosts file.  Note that .rhosts
      must be owned either by the root or by the user in whose home
      directory it is found and it must not be a symbolic link.	 The
      /etc/hosts.equiv file defines system-wide equivalency, whereas a
      user's .rhosts file defines equivalency between the local user and any
      remote users to whom the local user chooses to allow or deny access.

      An entry in the hostequiv file is a single line (no continuations) in
      the format:

	   [hostname [username]] [#comment]

      Thus, it can be:

	   +  A blank line.

	   +  A comment line, beginning with a #.

	   +  A host name, optionally followed by a comment.

	   +  A host name and user name, optionally followed by a comment.

	   A host or user name is a string of printable characters,
	   excluding whitespace, newlines, and #.

	   Names are separated by whitespace.

      For a user to be granted access, both the remote host name and the
      user name must "match" an entry in hostequiv.  When a request is made
      for access, the /etc/hosts.equiv file is searched first.	If a match
      is found, access is permitted.  If no match is found, the .rhosts file
      is searched, if one exists in the local user's home directory.  If the
      local user is a superuser, /etc/hosts.equiv is ignored.

      A host name or user name must match the corresponding field entry in
      hostequiv in one of the following ways:




 Hewlett-Packard Company	    - 1 -   HP-UX Release 11i: November 2000






 hosts.equiv(4)						      hosts.equiv(4)




	   Literal match	    A host name in hostequiv can literally
				    match the official host name (not an
				    alias) of the remote host.

				    A user name in hostequiv can literally
				    match the remote user name.	 For a user
				    name to have literal match in the
				    /etc/hosts.equiv file, the remote user
				    name must literally match the local user
				    name.

	   Domain-extended match    The remote host name to be compared with
				    entries in hostequiv is typically the
				    official host name returned by
				    gethostbyaddr() (see gethostent(3N)).
				    In a domain-naming environment, this is
				    a domain-qualified name.  If a host name
				    in hostequiv does not literally match
				    the remote host name, the host name in
				    hostequiv with the local domain name
				    appended may match the remote host name.

	   -name		    If the host name in hostequiv is of this
				    form, and if name literally matches the
				    remote host name or if name with the
				    local domain name appended matches the
				    remote host name, access is denied
				    regardless of the user name.

				    If the user name in hostequiv is of this
				    form, and name literally matches the
				    remote user name, access is denied.

				    Even if access is denied in this way by
				    /etc/hosts.equiv, access can still be
				    allowed by .rhosts.

	   +			    Any remote host name matches the host
				    name + in hostequiv.

				    Any remote user matches the user name +.

	   +@netgroup_name	    netgroup_name is the name of a network
				    group as defined in netgroup(4).  If the
				    host name in hostequiv is of this form,
				    the remote host name (only) must match
				    the specified network group according to
				    the rules defined in netgroup(4) in
				    order for the host name to match.





 Hewlett-Packard Company	    - 2 -   HP-UX Release 11i: November 2000






 hosts.equiv(4)						      hosts.equiv(4)




				    Similarly, if the user name in hostequiv
				    is of this form, the remote user name
				    (only) must match the specified network
				    group in order for the user name to
				    match.

	   -@netgroup_name	    netgroup_name is the name of a network
				    group as defined in netgroup(4).  If the
				    host name in hostequiv is of this form,
				    and if the remote host name (only)
				    matches the specified network group
				    according to the rules defined in
				    netgroup(4), access is denied.

				    Similarly, if the user name in hostequiv
				    is of this form, and if the remote user
				    name (only) matches the specified
				    network group, access is denied.

				    Even if access is denied in this way by
				    /etc/hosts.equiv, access can still be
				    allowed by .rhosts.

 EXAMPLES
      1.   /etc/hosts.equiv on hostA contains the line:

		hostB

	   and /etc/hosts.equiv on hostB is empty.  User chm on hostB can
	   use remsh to hostA, or rlogin to account chm on hostA without
	   being prompted for a password.  chm will, however, be prompted
	   for a password with rlogin, or denied access with remsh, from
	   hostA to hostB.

	   If .rhosts in the home directory of user chm on hostB contains:

		hostA

	   or

		hostA chm

	   then user chm can access hostB from hostA.

      2.   hostA is in the domain arg.bob.com.	hostB and hostC are in the
	   domain oink.bob.com.	 .rhosts in the home directory of user chm
	   on hostB contains:

		hostC
		hostA




 Hewlett-Packard Company	    - 3 -   HP-UX Release 11i: November 2000






 hosts.equiv(4)						      hosts.equiv(4)




	   User chm can access hostB from hostC, since hostC.oink.bob.com
	   matches hostC with hostB's local domain oink.bob.com appended.
	   But user chm from hostA cannot access hostB, since
	   hostA.arg.bob.com does not match hostA.oink.bob.com.	 In order
	   for user chm to be able to access hostB from hostA, chm's .rhosts
	   file on hostB must contain:

		hostA.arg.bob.com

	   since hostA is in a different domain.

      3.   .rhosts in the home directory of user chm on hostA contains:

		hostB root

	   /etc/hosts.equiv on hostB contains the line:

		hostA

	   However, there is no file .rhosts in the home directory of user
	   chm on hostB.  The user root on hostB can rlogin to account chm
	   on hostA without being prompted for a password, but root on hostA
	   cannot rlogin to account chm on hostB.

      4.   .rhosts in the home directory of user chm on hostA contains:

		+
		-hostB
		+ root

	   User chm from any host is allowed to access account chm on hostA.
	   User root from any host except hostB can access account chm on
	   hostA.

      5.   /etc/hosts.equiv on hostA contains the lines:

		+ -chm
		hostB

	   Any user from hostB except chm is allowed to access an account on
	   hostA with the same user name.  However, if .rhosts in the home
	   directory of user chm on hostA contains:

		hostB

	   then user chm from hostB can access account chm on hostA.

      6.   /etc/hosts.equiv on hostA contains the line:

		+@example_group




 Hewlett-Packard Company	    - 4 -   HP-UX Release 11i: November 2000






 hosts.equiv(4)						      hosts.equiv(4)




	   The network group example_group consists of:

		example_group ( , ,EXAMPLE_DOMAIN)

	   If hostA is not running Network Information Service (NIS), user
	   chm on any host can access account chm on hostA.

	   If hostA is running Network Information Service (NIS), and hostA
	   is in the domain EXAMPLE_DOMAIN, user chm on any host, whether in
	   EXAMPLE_DOMAIN or not, can access account chm on hostA.

	   However, if .rhosts in the home directory of user chm on hostA
	   contains the line:

		-@example_group

	   and hostA is either not running Network Information Service (NIS)
	   or is in domain EXAMPLE_DOMAIN, no user chm on any host can
	   access the account chm on hostA.  If hostA is running Network
	   Information Service (NIS) but is not in the domain
	   EXAMPLE_DOMAIN, this line has no effect.

      7.   /etc/hosts.equiv on hostA contains the line:

		-@example_group

	   The network group example_group consists of:

		example_group (hostB, ,)

	   All users on hostB are denied access to hostA.

	   However, if .rhosts in the home directory of a user on hostA
	   contains any of the following lines:

		+@example_group chm
		hostB chm
		+ chm

	   then user chm on hostB can access that account on hostA.

 WARNINGS
      For security purposes, the files /etc/hosts.equiv and .rhosts should
      exist and be readable and writable only by the owner, even if they are
      empty.

      Care must be exercised when creating the /etc/hosts.equiv

      The -l option to remshd and rlogind prevents any authentication based
      on .rhosts files for users other than a superuser.




 Hewlett-Packard Company	    - 5 -   HP-UX Release 11i: November 2000






 hosts.equiv(4)						      hosts.equiv(4)




 AUTHOR
      hosts.equiv was developed by the University of California, Berkeley.

      The +, -name, +@netgroup_name, and -@netgroup_name, extensions were
      developed by Sun Microsystems, Inc.

 FILES
      $HOME/.rhosts
      /etc/hosts.equiv

 SEE ALSO
      rcp(1), rdist(1), remsh(1), rlogin(1), remshd(1M), rlogind(1M),
      gethostent(3N), rcmd(3N), netgroup(4).









































 Hewlett-Packard Company	    - 6 -   HP-UX Release 11i: November 2000