unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.9)
Page:
Section:
Apropos / Subsearch:
optional field



File Formats                                       hosts.equiv(4)



NAME
     hosts.equiv, rhosts - trusted remote hosts and users

DESCRIPTION
     The /etc/hosts.equiv and .rhosts files provide  the  "remote
     authentication"  database for rlogin(1), rsh(1), rcp(1), and
     rcmd(3SOCKET). The files specify remote hosts and users that
     are  considered   "trusted".   Trusted  users are allowed to
     access the local system without supplying  a  password.  The
     library  routine  ruserok() (see rcmd(3SOCKET)) performs the
     authentication  procedure  for   programs   by   using   the
     /etc/hosts.equiv  and  .rhosts  files. The  /etc/hosts.equiv
     file applies to the entire system,  while  individual  users
     can  maintain  their  own .rhosts files in their home direc-
     tories.

     These files bypass the standard password-based user  authen-
     tication  mechanism.  To maintain system security, care must
     be taken in creating and maintaining these files.

     The remote authentication  procedure  determines  whether  a
     user  from  a  remote  host  should be allowed to access the
     local system with the identity of a local  user.  This  pro-
     cedure  first  checks  the  /etc/hosts.equiv  file  and then
     checks the .rhosts file in the home directory of  the  local
     user who is requesting access. Entries in these files can be
     of two forms. Positive entries  allow access,  while   nega-
     tive entries deny access. The authentication succeeds when a
     matching positive entry is found. The procedure  fails  when
     the  first matching negative entry is found, or if no match-
     ing entries are found in either file. The order  of  entries
     is  important.  If the files contain both positive and nega-
     tive entries, the entry that appears first will prevail. The
     rsh(1) and rcp(1) programs fail if the remote authentication
     procedure fails. The rlogin program falls back to the  stan-
     dard  password-based login procedure if the remote authenti-
     cation fails.

     Both files are formatted as  a  list  of  one-line  entries.
     Each entry has the form:

     hostname [username]

     Hostnames must be the official name of the host, not one  of
     its nicknames.

     Negative entries are differentiated from positive entries by
     a  `-'  character preceding either the  hostname or username
     field.

  Positive Entries




SunOS 5.9           Last change: 23 Jun 1997                    1






File Formats                                       hosts.equiv(4)



     If the form:

     hostname

     is used, then users from the named host  are  trusted.  That
     is,  they  may  access the system with the same user name as
     they have on the remote system. This form  may  be  used  in
     both the  /etc/hosts.equiv and .rhosts files.

     If the line is in the form:

     hostname username

     then the named user from the named host can access the  sys-
     tem.  This  form  may be used in individual .rhosts files to
     allow  remote users to access  the  system  as  a  different
     local  user.  If  this  form is used in the /etc/hosts.equiv
     file, the named remote user will be allowed  to  access  the
     system as  any local user.

     netgroup(4) can be used in either the  hostname or  username
     fields to match a number of hosts or users in one entry. The
     form:

     +@netgroup

     allows access from all hosts in  the  named  netgroup.  When
     used  in  the  username  field,  netgroups  allow a group of
     remote users to access the  system  as  a  particular  local
     user.
      The form:

     hostname +@netgroup

     allows all of the users in the named netgroup from the named
     host to access the system as the local user. The form:

     +@netgroup1 +@netgroup2

     allows the users in netgroup2 from the hosts in netgroup1 to
     access the system as the local user.

     The special character `+' can be used  in  place  of  either
     hostname or username to match any host or user. For example,
     the entry

     +

     will allow a user from any remote host to access the  system
     with the same username. The entry





SunOS 5.9           Last change: 23 Jun 1997                    2






File Formats                                       hosts.equiv(4)



     + username

     will allow the named user from any remote host to access the
     system. The entry

     hostname +

     will allow any user from the named host to access the system
     as the local user.

  Negative Entries
     Negative entries are preceded by a `-' sign. The form:

     -hostname

     will disallow all access from the named host. The form:

     -@netgroup

     means that access is explicitly disallowed from all hosts in
     the named netgroup. The form:

     hostname -username

     disallows access by the named user only from the named host,
     while the form:

     + -@netgroup

     will disallow access by all of the users in the  named  net-
     group from all hosts.

  Search Sequence
     To help maintain system security, the /etc/hosts.equiv  file
     is  not  checked  when  access is being attempted for super-
     user. If the user attempting access is not  the  super-user,
     /etc/hosts.equiv is searched for lines of the form described
     above. Checks are made for lines in this file in the follow-
     ing order:

     1. +

     2. +@netgroup

     3. -@netgroup

     4. -hostname

     5. hostname

     The user is granted access  if  a  positive  match  occurrs.
     Negative  entries  apply only to /etc/hosts.equiv and may be



SunOS 5.9           Last change: 23 Jun 1997                    3






File Formats                                       hosts.equiv(4)



     overridden by subsequent .rhosts entries.

     If no positive match occurred,  the  .rhosts  file  is  then
     searched  if  the  user  attempting  access maintains such a
     file. This file is searched whether or not the user attempt-
     ing  access  is  the  super-user. As a security feature, the
     .rhosts file must be owned by the  user  who  is  attempting
     access.  Checks are made for lines in .rhosts in the follow-
     ing order:

     1. +

     2. +@netgroup

     3. -@netgroup

     4. -hostname

     5. hostname

FILES
     /etc/hosts.equiv
           system trusted hosts and users

     ~/.rhosts
           user's trusted hosts and users

SEE ALSO
     rcp(1), rlogin(1),  rsh(1),  rcmd(3SOCKET),  hosts(4),  net-
     group(4), passwd(4)

WARNINGS
     Positive entries in /etc/hosts.equiv that include a username
     field  (either  an individual named user, a netgroup, or `+'
     sign)   should  be  used  with  extreme   caution.   Because
     /etc/hosts.equiv  applies  system-wide, these entries  allow
     one, or a group of, remote users to access the system as any
     local  user.   This  can  be  a  security hole. For example,
     because of the search  sequence,  an  /etc/hosts.equiv  file
     consisting of the entries

     +
     -hostxxx

     will not deny access to "hostxxx".










SunOS 5.9           Last change: 23 Jun 1997                    4