unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

hosts.equiv(4)                   File Formats                   hosts.equiv(4)



NAME
       hosts.equiv, rhosts - trusted remote hosts and users

DESCRIPTION
       The  /etc/hosts.equiv and .rhosts files provide the "remote authentica-
       tion" database for rlogin(1), rsh(1), rcp(1),  and  rcmd(3SOCKET).  The
       files  specify  remote  hosts and users that are considered  "trusted".
       Trusted users are allowed to access the local system without  supplying
       a  password. The library routine ruserok() (see rcmd(3SOCKET)) performs
       the authentication procedure for programs by using the /etc/hosts.equiv
       and  .rhosts  files.  The   /etc/hosts.equiv file applies to the entire
       system, while individual users can maintain their own .rhosts files  in
       their home directories.

       These  files  bypass  the  standard  password-based user authentication
       mechanism. To maintain system security, care must be taken in  creating
       and maintaining these files.

       The  remote  authentication  procedure determines whether a user from a
       remote host should be allowed to access the local system with the iden-
       tity  of a local user. This procedure first checks the /etc/hosts.equiv
       file and then checks the .rhosts file in  the  home  directory  of  the
       local  user  who is requesting access. Entries in these files can be of
       two forms. Positive entries  allow access, while  negative entries deny
       access.  The  authentication succeeds when a matching positive entry is
       found. The procedure fails when the first matching  negative  entry  is
       found, or if no matching entries are found in either file. The order of
       entries is important. If the files contain both positive  and  negative
       entries,  the  entry  that  appears  first will prevail. The rsh(1) and
       rcp(1) programs fail if the remote authentication procedure fails.  The
       rlogin  program  falls back to the standard password-based login proce-
       dure if the remote authentication fails.

       Both files are formatted as a list of one-line entries.  Each entry has
       the form:

       hostname [username]

       Hostnames  must  be the official name of the host, not one of its nick-
       names.

       Negative entries are differentiated from  positive  entries  by  a  `-'
       character preceding either the  hostname or username field.

   Positive Entries
       If the form:

       hostname

       is  used, then users from the named host are trusted. That is, they may
       access the system with the same user name as they have  on  the  remote
       system. This form may be used in both the  /etc/hosts.equiv and .rhosts
       files.

       If the line is in the form:

       hostname username

       then the named user from the named host can  access  the  system.  This
       form  may be used in individual .rhosts files to allow  remote users to
       access the system as a different local user. If this form  is  used  in
       the  /etc/hosts.equiv  file,  the  named remote user will be allowed to
       access the system as  any local user.

       netgroup(4) can be used in either the  hostname or username  fields  to
       match a number of hosts or users in one entry. The form:

       +@netgroup

       allows  access  from  all hosts in the named netgroup. When used in the
       username field, netgroups allow a group of remote users to  access  the
       system as a particular local user.
        The form:

       hostname +@netgroup

       allows  all  of  the users in the named netgroup from the named host to
       access the system as the local user. The form:

       +@netgroup1 +@netgroup2

       allows the users in netgroup2 from the hosts in netgroup1 to access the
       system as the local user.

       The  special  character  `+' can be used in place of either hostname or
       username to match any host or user. For example, the entry

       +

       will allow a user from any remote host to access the  system  with  the
       same username. The entry

       + username

       will  allow  the  named user from any remote host to access the system.
       The entry

       hostname +

       will allow any user from the named host to access  the  system  as  the
       local user.

   Negative Entries
       Negative entries are preceded by a `-' sign. The form:

       -hostname

       will disallow all access from the named host. The form:

       -@netgroup

       means  that access is explicitly disallowed from all hosts in the named
       netgroup. The form:

       hostname -username

       disallows access by the named user only from the named host, while  the
       form:

       + -@netgroup

       will disallow access by all of the users in the named netgroup from all
       hosts.

   Search Sequence
       To help maintain system security,  the  /etc/hosts.equiv  file  is  not
       checked  when  access  is  being  attempted for super-user. If the user
       attempting access is not the super-user, /etc/hosts.equiv  is  searched
       for  lines  of  the  form described above. Checks are made for lines in
       this file in the following order:

       1.  +


       2.  +@netgroup


       3.  -@netgroup


       4.  -hostname


       5.  hostname


       The user is granted access  if  a  positive  match  occurrs.   Negative
       entries  apply only to /etc/hosts.equiv and may be overridden by subse-
       quent .rhosts entries.

       If no positive match occurred, the .rhosts file is then searched if the
       user  attempting  access  maintains  such a file. This file is searched
       whether or not the user attempting access is the super-user. As a secu-
       rity  feature,  the  .rhosts  file  must  be  owned  by the user who is
       attempting access. Checks are made for lines in .rhosts in the  follow-
       ing order:

       1.  +


       2.  +@netgroup


       3.  -@netgroup


       4.  -hostname


       5.  hostname


FILES
       /etc/hosts.equiv        system trusted hosts and users



       ~/.rhosts               user's trusted hosts and users



SEE ALSO
       rcp(1),   rlogin(1),   rsh(1),  rcmd(3SOCKET),  hosts(4),  netgroup(4),
       passwd(4)

WARNINGS
       Positive entries in /etc/hosts.equiv  that  include  a  username  field
       (either  an  individual named user, a netgroup, or `+' sign)  should be
       used with extreme caution. Because   /etc/hosts.equiv  applies  system-
       wide,  these  entries  allow one, or a group of, remote users to access
       the system as any local user.  This can be a security hole.  For  exam-
       ple,  because of the search sequence, an /etc/hosts.equiv file consist-
       ing of the entries

       +
       -hostxxx

       will not deny access to "hostxxx".



SunOS 5.10                        23 Jun 1997                   hosts.equiv(4)