|
» |
|
|
|
NAMEhosts.equiv, .rhosts — security files authorizing access by remote hosts and users on local host DESCRIPTIONThe
/etc/hosts.equiv
file
and files named
.rhosts
found in users' home directories specify remote hosts and users
that are "equivalent" to the local host or user.
Users from equivalent remote hosts
are permitted to access a local account using
rcp
or
remsh
or to
rlogin
to the local account without supplying a password (see
rcp(1),
remsh(1),
and
rlogin(1)).
The security provided by
hosts.equiv
is implemented by the
ruserok()
library routine, (see
rcmd(3N)). In this description,
hostequiv
means either the system
/etc/hosts.equiv
file or the user
.rhosts
file.
Note that
.rhosts
must be owned either by the root or
by the user in whose home directory it is found
and it must not be a symbolic link.
The
/etc/hosts.equiv
file defines system-wide equivalency, whereas a user's
.rhosts
file defines equivalency between the local user and any
remote users to whom the local user chooses to allow or deny access. An entry in the
hostequiv
file is a single line (no continuations) in the format:
[hostname [username]] [#comment] Thus, it can be:
A comment line, beginning with a
#. A host name, optionally followed by a comment. A host name and user name, optionally followed by a comment. A host or user name is a string of printable characters,
excluding whitespace, newlines, and
#. Names are separated by whitespace.
For a user to be granted access,
both the remote host name and the user name must "match" an entry in
hostequiv.
When a request is made for access, the
/etc/hosts.equiv
file is searched first.
If a match is found, access is permitted.
If no match is found, the
.rhosts
file is searched,
if one exists in the local user's home directory.
If the local user is
a superuser,
/etc/hosts.equiv
is ignored. A host name or user name must
match the corresponding field entry in
hostequiv
in one of the following ways:
- Literal match
A host name in
hostequiv
can literally match the official host name
(not an alias) of the remote host. A user name in
hostequiv
can literally match the remote user name.
For a user name to have literal match in
the
/etc/hosts.equiv
file, the remote user
name must literally match the local user name. - Domain-extended match
The remote host name to be compared with entries in
hostequiv
is typically the official host name returned by
gethostbyaddr()
(see
gethostent(3N)).
In a domain-naming environment,
this is a domain-qualified name.
If a host name in
hostequiv
does not literally match the remote host name, the host name in
hostequiv
with the local domain name appended may match the remote host name. - -name
If the host name in
hostequiv
is of this form, and if
name
literally matches the remote host name or if
name
with the local domain name appended matches the remote host name,
access is denied regardless of the user name. If the user name in
hostequiv
is of this form, and
name
literally matches the remote user name, access is denied. Even if access is denied in this way by
/etc/hosts.equiv,
access can still be allowed by
.rhosts. - +
Any remote host name matches the host name
+
in
hostequiv. Any remote user matches the user name
+. - +@netgroup_name
netgroup_name
is the name of a network group as defined in
netgroup(4).
If the host name in
hostequiv
is of this form, the remote host name (only)
must match the specified network group
according to the rules defined in
netgroup(4)
in order for the host name to match. Similarly, if the user name in
hostequiv
is of this form, the remote user name (only)
must match the specified network group
in order for the user name to match. - -@netgroup_name
netgroup_name
is the name of a network group as defined in
netgroup(4).
If the host name in
hostequiv
is of this form, and if the remote host name (only)
matches the specified network group
according to the rules defined in
netgroup(4),
access is denied. Similarly, if the user name in
hostequiv
is of this form, and if the remote user name (only)
matches the specified network group, access is denied. Even if access is denied in this way by
/etc/hosts.equiv,
access can still be allowed by
.rhosts.
EXAMPLES- 1.
/etc/hosts.equiv
on
hostA
contains the line:
and
/etc/hosts.equiv
on
hostB
is empty.
User
chm
on
hostB
can use
remsh
to
hostA,
or
rlogin
to account
chm
on
hostA
without being prompted for a password.
chm
will, however, be prompted for a password with
rlogin,
or denied access with
remsh,
from
hostA
to
hostB. If
.rhosts
in the home directory of user
chm
on
hostB
contains:
or
then user
chm
can access
hostB
from
hostA. - 2.
hostA
is in the domain
arg.bob.com.
hostB
and
hostC
are in the domain
oink.bob.com.
.rhosts
in the home directory of user
chm
on
hostB
contains:
User
chm
can access
hostB
from
hostC,
since
hostC.oink.bob.com
matches
hostC
with
hostB's
local domain
oink.bob.com
appended.
But user
chm
from
hostA
cannot access
hostB,
since
hostA.arg.bob.com
does not match
hostA.oink.bob.com.
In order for user
chm
to be
able to access
hostB
from
hostA,
chm's
.rhosts
file on
hostB
must contain:
since
hostA
is in a different domain. - 3.
.rhosts
in the home directory of user
chm
on
hostA
contains:
/etc/hosts.equiv
on
hostB
contains the line:
However, there is no file
.rhosts
in the home directory of user
chm
on
hostB.
The user
root
on
hostB
can
rlogin
to account
chm
on
hostA
without being prompted for a password, but
root
on
hostA
cannot
rlogin
to account
chm
on
hostB. - 4.
.rhosts
in the home directory of user
chm
on
hostA
contains:
User
chm
from any host is allowed to access account
chm
on
hostA.
User
root
from any host except
hostB
can access account
chm
on
hostA. - 5.
/etc/hosts.equiv
on
hostA
contains the lines:
Any user from
hostB
except
chm
is allowed to access an account on
hostA
with the same user name.
However, if
.rhosts
in the home directory of user
chm
on
hostA
contains:
then user
chm
from
hostB
can access account
chm
on
hostA. - 6.
/etc/hosts.equiv
on
hostA
contains the line:
The network group
example_group
consists of:
example_group ( , ,EXAMPLE_DOMAIN) If
hostA
is not running Network Information Service (NIS),
user
chm
on any host can access account
chm
on
hostA. If
hostA
is running Network Information Service (NIS),
and
hostA
is in the domain
EXAMPLE_DOMAIN,
user
chm
on any host, whether in
EXAMPLE_DOMAIN
or not, can access account
chm
on
hostA. However, if
.rhosts
in the home directory of user
chm
on
hostA
contains the line:
and
hostA
is either not running Network Information Service (NIS)
or is in domain
EXAMPLE_DOMAIN,
no user
chm
on any host can access the account
chm
on
hostA.
If
hostA
is running Network Information Service (NIS)
but is not in the domain
EXAMPLE_DOMAIN,
this line has no effect. - 7.
/etc/hosts.equiv
on
hostA
contains the line:
The network group
example_group
consists of:
All users on
hostB
are denied access to
hostA. However, if
.rhosts
in the home directory of a user on
hostA
contains any of the following lines:
+@example_group chm
hostB chm
+ chm then user
chm
on
hostB
can access that account on
hostA.
WARNINGSFor security purposes, the files
/etc/hosts.equiv
and
.rhosts
should exist and be readable and writable only by the owner,
even if they are empty. Care must be exercised when creating the
/etc/hosts.equiv The
-l
option to
remshd
and
rlogind
prevents any authentication based on
.rhosts
files
for users other than a superuser. AUTHORhosts.equiv
was developed by the University of California, Berkeley. The
+,
-name,
+@netgroup_name,
and
-@netgroup_name,
extensions were developed by Sun Microsystems, Inc. FILES$HOME/.rhosts
/etc/hosts.equiv
|