Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > H

hosts.equiv(4)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

hosts.equiv, .rhosts — security files authorizing access by remote hosts and users on local host

DESCRIPTION

The /etc/hosts.equiv file and files named .rhosts found in users' home directories specify remote hosts and users that are "equivalent" to the local host or user. Users from equivalent remote hosts are permitted to access a local account using rcp or remsh or to rlogin to the local account without supplying a password (see rcp(1), remsh(1), and rlogin(1)). The security provided by hosts.equiv is implemented by the ruserok() library routine, (see rcmd(3N)).

In this description, hostequiv means either the system /etc/hosts.equiv file or the user .rhosts file. Note that .rhosts must be owned either by the root or by the user in whose home directory it is found and it must not be a symbolic link. The /etc/hosts.equiv file defines system-wide equivalency, whereas a user's .rhosts file defines equivalency between the local user and any remote users to whom the local user chooses to allow or deny access.

An entry in the hostequiv file is a single line (no continuations) in the format:

[hostname [username]] [#comment]

Thus, it can be:

  • A blank line.

  • A comment line, beginning with a #.

  • A host name, optionally followed by a comment.

  • A host name and user name, optionally followed by a comment.

    A host or user name is a string of printable characters, excluding whitespace, newlines, and #.

    Names are separated by whitespace.

For a user to be granted access, both the remote host name and the user name must "match" an entry in hostequiv. When a request is made for access, the /etc/hosts.equiv file is searched first. If a match is found, access is permitted. If no match is found, the .rhosts file is searched, if one exists in the local user's home directory. If the local user is a superuser, /etc/hosts.equiv is ignored.

A host name or user name must match the corresponding field entry in hostequiv in one of the following ways:

Literal match

A host name in hostequiv can literally match the official host name (not an alias) of the remote host.

A user name in hostequiv can literally match the remote user name. For a user name to have literal match in the /etc/hosts.equiv file, the remote user name must literally match the local user name.

Domain-extended match

The remote host name to be compared with entries in hostequiv is typically the official host name returned by gethostbyaddr() (see gethostent(3N)). In a domain-naming environment, this is a domain-qualified name. If a host name in hostequiv does not literally match the remote host name, the host name in hostequiv with the local domain name appended may match the remote host name.

-name

If the host name in hostequiv is of this form, and if name literally matches the remote host name or if name with the local domain name appended matches the remote host name, access is denied regardless of the user name.

If the user name in hostequiv is of this form, and name literally matches the remote user name, access is denied.

Even if access is denied in this way by /etc/hosts.equiv, access can still be allowed by .rhosts.

+

Any remote host name matches the host name + in hostequiv.

Any remote user matches the user name +.

+@netgroup_name

netgroup_name is the name of a network group as defined in netgroup(4). If the host name in hostequiv is of this form, the remote host name (only) must match the specified network group according to the rules defined in netgroup(4) in order for the host name to match.

Similarly, if the user name in hostequiv is of this form, the remote user name (only) must match the specified network group in order for the user name to match.

-@netgroup_name

netgroup_name is the name of a network group as defined in netgroup(4). If the host name in hostequiv is of this form, and if the remote host name (only) matches the specified network group according to the rules defined in netgroup(4), access is denied.

Similarly, if the user name in hostequiv is of this form, and if the remote user name (only) matches the specified network group, access is denied.

Even if access is denied in this way by /etc/hosts.equiv, access can still be allowed by .rhosts.

EXAMPLES

1.

/etc/hosts.equiv on hostA contains the line:

hostB

and /etc/hosts.equiv on hostB is empty. User chm on hostB can use remsh to hostA, or rlogin to account chm on hostA without being prompted for a password. chm will, however, be prompted for a password with rlogin, or denied access with remsh, from hostA to hostB.

If .rhosts in the home directory of user chm on hostB contains:

hostA

or

hostA chm

then user chm can access hostB from hostA.

2.

hostA is in the domain arg.bob.com. hostB and hostC are in the domain oink.bob.com. .rhosts in the home directory of user chm on hostB contains:

hostC hostA

User chm can access hostB from hostC, since hostC.oink.bob.com matches hostC with hostB's local domain oink.bob.com appended. But user chm from hostA cannot access hostB, since hostA.arg.bob.com does not match hostA.oink.bob.com. In order for user chm to be able to access hostB from hostA, chm's .rhosts file on hostB must contain:

hostA.arg.bob.com

since hostA is in a different domain.

3.

.rhosts in the home directory of user chm on hostA contains:

hostB root

/etc/hosts.equiv on hostB contains the line:

hostA

However, there is no file .rhosts in the home directory of user chm on hostB. The user root on hostB can rlogin to account chm on hostA without being prompted for a password, but root on hostA cannot rlogin to account chm on hostB.

4.

.rhosts in the home directory of user chm on hostA contains:

+ -hostB + root

User chm from any host is allowed to access account chm on hostA. User root from any host except hostB can access account chm on hostA.

5.

/etc/hosts.equiv on hostA contains the lines:

+ -chm hostB

Any user from hostB except chm is allowed to access an account on hostA with the same user name. However, if .rhosts in the home directory of user chm on hostA contains:

hostB

then user chm from hostB can access account chm on hostA.

6.

/etc/hosts.equiv on hostA contains the line:

+@example_group

The network group example_group consists of:

example_group ( , ,EXAMPLE_DOMAIN)

If hostA is not running Network Information Service (NIS), user chm on any host can access account chm on hostA.

If hostA is running Network Information Service (NIS), and hostA is in the domain EXAMPLE_DOMAIN, user chm on any host, whether in EXAMPLE_DOMAIN or not, can access account chm on hostA.

However, if .rhosts in the home directory of user chm on hostA contains the line:

-@example_group

and hostA is either not running Network Information Service (NIS) or is in domain EXAMPLE_DOMAIN, no user chm on any host can access the account chm on hostA. If hostA is running Network Information Service (NIS) but is not in the domain EXAMPLE_DOMAIN, this line has no effect.

7.

/etc/hosts.equiv on hostA contains the line:

-@example_group

The network group example_group consists of:

example_group (hostB, ,)

All users on hostB are denied access to hostA.

However, if .rhosts in the home directory of a user on hostA contains any of the following lines:

+@example_group chm hostB chm + chm

then user chm on hostB can access that account on hostA.

WARNINGS

For security purposes, the files /etc/hosts.equiv and .rhosts should exist and be readable and writable only by the owner, even if they are empty.

Care must be exercised when creating the /etc/hosts.equiv

The -l option to remshd and rlogind prevents any authentication based on .rhosts files for users other than a superuser.

AUTHOR

hosts.equiv was developed by the University of California, Berkeley.

The +, -name, +@netgroup_name, and -@netgroup_name, extensions were developed by Sun Microsystems, Inc.

FILES

$HOME/.rhosts /etc/hosts.equiv

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.