1hosts.equiv(4)                   File Formats                   hosts.equiv(4)
2
3
4

NAME

6       hosts.equiv, rhosts - trusted remote hosts and users
7

DESCRIPTION

9       The  /etc/hosts.equiv and .rhosts files provide the "remote authentica‐
10       tion" database for rlogin(1), rsh(1), rcp(1),  and  rcmd(3SOCKET).  The
11       files  specify  remote  hosts and users that are considered  "trusted".
12       Trusted users are allowed to access the local system without  supplying
13       a  password. The library routine ruserok() (see rcmd(3SOCKET)) performs
14       the authentication procedure for programs by using the /etc/hosts.equiv
15       and  .rhosts  files.  The   /etc/hosts.equiv file applies to the entire
16       system, while individual users can maintain their own .rhosts files  in
17       their home directories.
18
19
20       These  files  bypass  the  standard  password-based user authentication
21       mechanism. To maintain system security, care must be taken in  creating
22       and maintaining these files.
23
24
25       The  remote  authentication  procedure determines whether a user from a
26       remote host should be allowed to access the local system with the iden‐
27       tity  of a local user. This procedure first checks the /etc/hosts.equiv
28       file and then checks the .rhosts file in  the  home  directory  of  the
29       local  user  who is requesting access. Entries in these files can be of
30       two forms. Positive entries  allow access, while  negative entries deny
31       access.  The  authentication succeeds when a matching positive entry is
32       found. The procedure fails when the first matching  negative  entry  is
33       found, or if no matching entries are found in either file. The order of
34       entries is important. If the files contain both positive  and  negative
35       entries,  the  entry  that  appears  first will prevail. The rsh(1) and
36       rcp(1) programs fail if the remote authentication procedure fails.  The
37       rlogin  program  falls back to the standard password-based login proce‐
38       dure if the remote authentication fails.
39
40
41       Both files are formatted as a list of one-line entries.  Each entry has
42       the form:
43
44         hostname [username]
45
46
47
48
49       Hostnames  must  be the official name of the host, not one of its nick‐
50       names.
51
52
53       Negative entries are differentiated from  positive  entries  by  a  `−'
54       character preceding either the  hostname or username field.
55
56   Positive Entries
57       If the form:
58
59         hostname
60
61
62
63
64       is  used, then users from the named host are trusted. That is, they may
65       access the system with the same user name as they have  on  the  remote
66       system. This form may be used in both the  /etc/hosts.equiv and .rhosts
67       files.
68
69
70       If the line is in the form:
71
72         hostname username
73
74
75
76
77       then the named user from the named host can  access  the  system.  This
78       form  may be used in individual .rhosts files to allow  remote users to
79       access the system as a different local user. If this form  is  used  in
80       the  /etc/hosts.equiv  file,  the  named remote user will be allowed to
81       access the system as  any local user.
82
83
84       netgroup(4) can be used in either the  hostname or username  fields  to
85       match a number of hosts or users in one entry. The form:
86
87         +@netgroup
88
89
90
91
92       allows  access  from  all hosts in the named netgroup. When used in the
93       username field, netgroups allow a group of remote users to  access  the
94       system as a particular local user.  The form:
95
96         hostname +@netgroup
97
98
99
100
101       allows  all  of  the users in the named netgroup from the named host to
102       access the system as the local user. The form:
103
104         +@netgroup1 +@netgroup2
105
106
107
108
109       allows the users in netgroup2 from the hosts in netgroup1 to access the
110       system as the local user.
111
112
113       The  special  character  `+' can be used in place of either hostname or
114       username to match any host or user. For example, the entry
115
116         +
117
118
119
120
121       will allow a user from any remote host to access the  system  with  the
122       same username. The entry
123
124         + username
125
126
127
128
129       will  allow  the  named user from any remote host to access the system.
130       The entry
131
132         hostname +
133
134
135
136
137       will allow any user from the named host to access  the  system  as  the
138       local user.
139
140   Negative Entries
141       Negative entries are preceded by a `−' sign. The form:
142
143         hostname
144
145
146
147
148       will disallow all access from the named host. The form:
149
150         −@netgroup
151
152
153
154
155       means  that access is explicitly disallowed from all hosts in the named
156       netgroup. The form:
157
158         hostname username
159
160
161
162
163       disallows access by the named user only from the named host, while  the
164       form:
165
166         + −@netgroup
167
168
169
170
171       will disallow access by all of the users in the named netgroup from all
172       hosts.
173
174   Search Sequence
175       To help maintain system security,  the  /etc/hosts.equiv  file  is  not
176       checked  when  access  is  being  attempted for super-user. If the user
177       attempting access is not the super-user, /etc/hosts.equiv  is  searched
178       for  lines  of  the  form described above. Checks are made for lines in
179       this file in the following order:
180
181           1.     +
182
183           2.     +@netgroup
184
185           3.     −@netgroup
186
187           4.     hostname
188
189           5.     hostname
190
191
192       The user is granted access  if  a  positive  match  occurrs.   Negative
193       entries  apply only to /etc/hosts.equiv and may be overridden by subse‐
194       quent .rhosts entries.
195
196
197       If no positive match occurred, the .rhosts file is then searched if the
198       user  attempting  access  maintains  such a file. This file is searched
199       whether or not the user attempting access is the super-user. As a secu‐
200       rity  feature,  the  .rhosts  file  must  be  owned  by the user who is
201       attempting access. Checks are made for lines in .rhosts in the  follow‐
202       ing order:
203
204           1.     +
205
206           2.     +@netgroup
207
208           3.     −@netgroup
209
210           4.     hostname
211
212           5.     hostname
213

FILES

215       /etc/hosts.equiv    system trusted hosts and users
216
217
218       ~/.rhosts           user's trusted hosts and users
219
220

SEE ALSO

222       rcp(1),   rlogin(1),   rsh(1),  rcmd(3SOCKET),  hosts(4),  netgroup(4),
223       passwd(4)
224

WARNINGS

226       Positive entries in /etc/hosts.equiv  that  include  a  username  field
227       (either  an  individual named user, a netgroup, or `+' sign)  should be
228       used with extreme caution. Because   /etc/hosts.equiv  applies  system-
229       wide,  these  entries  allow one, or a group of, remote users to access
230       the system as any local user. This can be a security hole. For example,
231       because  of the search sequence, an /etc/hosts.equiv file consisting of
232       the entries
233
234         +
235         −hostxxx
236
237
238
239
240       will not deny access to "hostxxx".
241
242
243
244SunOS 5.11                        23 Jun 1997                   hosts.equiv(4)
Impressum