hosts.equiv(5) - NetBSD Manual Pages

Command: Section: Arch: Collection:  
HOSTS.EQUIV(5)            NetBSD Programmer's Manual            HOSTS.EQUIV(5)

hosts.equiv, .rhosts - trusted remote hosts and host-user pairs
The hosts.equiv and .rhosts files list hosts and users which are ``trust- ed'' by the local host when a connection is made via rlogind(8), rshd(8), or any other server that uses ruserok(3). This mechanism bypasses pass- word checks, and is required for access via rsh(1). Each line of these files has the format: hostname [username] The hostname may be specified as a host name (typically a fully qualified host name in a DNS environment) or address, +@netgroup (from which only the host names are checked), or a ``+'' wildcard (allow all hosts). The username, if specified, may be given as a user name on the remote host, +@netgroup (from which only the user names are checked), or a ``+'' wildcard (allow all remote users). If a username is specified, only that user from the specified host may login to the local machine. If a username is not specified, any user may login with the same user name.
somehost A common usage: users on somehost may login to the local host as the same user name. somehost username The user username on somehost may login to the local host. If specified in /etc/hosts.equiv, the user may login with only the same user name. +@anetgroup username The user username may login to the local host from any machine listed in the netgroup anetgroup. + + + Two severe security hazards. In the first case, allows a user on any machine to login to the local host as the same user name. In the second case, allows any user on any machine to login to the lo- cal host (as any user, if in /etc/hosts.equiv).
The username checks provided by this mechanism are not secure, as the re- mote user name is received by the server unchecked for validity. There- fore this mechanism should only be used in an environment where all hosts are completely trusted. A numeric host address instead of a host name can help security consider- ations somewhat; the address is then used directly by iruserok(3). When a username (or netgroup, or +) is specified in /etc/hosts.equiv, that user (or group of users, or all users, respectively) may login to the local host as any local user. Usernames in /etc/hosts.equiv should therefore be used with extreme caution, or not at all. A .rhosts file must be owned by the user whose home directory it resides in, and must be writable only by that user. Logins as root only check root's .rhosts file; the /etc/hosts.equiv file is not checked for security. Access permitted through root's .rhosts file is typically only for rsh(1), as root must still login on the con- sole for an interactive login such as rlogin(1).
/etc/hosts.equiv Global trusted host-user pairs list ~/.rhosts Per-user trusted host-user pairs list
rcp(1), rlogin(1), rsh(1), rcmd(3), ruserok(3), netgroup(5)
The .rhosts file format appeared in 4.2BSD.
The ruserok(3) implementation currently skips negative entries (preceded with a ``-'' sign) and does not treat them as ``short-circuit'' negative entries. NetBSD 1.5 November 26, 1997 2
Powered by man-cgi (2021-06-01). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.