Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
hosts.equiv(4)			 File Formats			hosts.equiv(4)

NAME
       hosts.equiv, rhosts - trusted remote hosts and users

DESCRIPTION
       The  /etc/hosts.equiv and .rhosts files provide the "remote authentica-
       tion" database for rlogin(1), rsh(1), rcp(1),  and  rcmd(3SOCKET).  The
       files  specify  remote  hosts and users that are	considered  "trusted".
       Trusted users are allowed to access the local system without  supplying
       a  password. The	library	routine	ruserok() (see rcmd(3SOCKET)) performs
       the authentication procedure for	programs by using the /etc/hosts.equiv
       and  .rhosts  files.  The   /etc/hosts.equiv file applies to the	entire
       system, while individual	users can maintain their own .rhosts files  in
       their home directories.

       These  files  bypass  the  standard  password-based user	authentication
       mechanism. To maintain system security, care must be taken in  creating
       and maintaining these files.

       The  remote  authentication  procedure determines whether a user	from a
       remote host should be allowed to	access the local system	with the iden-
       tity  of	a local	user. This procedure first checks the /etc/hosts.equiv
       file and	then checks the	.rhosts	file in	the home directory of the  lo-
       cal user	who is requesting access. Entries in these files can be	of two
       forms. Positive entries	allow access, while  negative entries deny ac-
       cess.  The  authentication  succeeds  when a matching positive entry is
       found. The procedure fails when the first matching  negative  entry  is
       found, or if no matching	entries	are found in either file. The order of
       entries is important. If	the files contain both positive	 and  negative
       entries,	 the  entry  that  appears  first will prevail.	The rsh(1) and
       rcp(1) programs fail if the remote authentication procedure fails.  The
       rlogin  program	falls back to the standard password-based login	proce-
       dure if the remote authentication fails.

       Both files are formatted	as a list of one-line entries.	Each entry has
       the form:

       hostname	[username]

       Hostnames  must	be the official	name of	the host, not one of its nick-
       names.

       Negative	entries	are differentiated from	 positive  entries  by	a  `-'
       character preceding either the  hostname	or username field.

   Positive Entries
       If the form:

       hostname

       is  used, then users from the named host	are trusted. That is, they may
       access the system with the same user name as they have  on  the	remote
       system. This form may be	used in	both the  /etc/hosts.equiv and .rhosts
       files.

       If the line is in the form:

       hostname	username

       then the	named user from	the named host can  access  the	 system.  This
       form  may be used in individual .rhosts files to	allow  remote users to
       access the system as a different	local user. If this form  is  used  in
       the /etc/hosts.equiv file, the named remote user	will be	allowed	to ac-
       cess the	system as  any local user.

       netgroup(4) can be used in either the  hostname or username  fields  to
       match a number of hosts or users	in one entry. The form:

       +@netgroup

       allows  access  from  all hosts in the named netgroup. When used	in the
       username	field, netgroups allow a group of remote users to  access  the
       system as a particular local user.
	The form:

       hostname	+@netgroup

       allows  all  of	the users in the named netgroup	from the named host to
       access the system as the	local user. The	form:

       +@netgroup1 +@netgroup2

       allows the users	in netgroup2 from the hosts in netgroup1 to access the
       system as the local user.

       The  special  character	`+' can	be used	in place of either hostname or
       username	to match any host or user. For example,	the entry

       +

       will allow a user from any remote host to access	the  system  with  the
       same username. The entry

       + username

       will  allow  the	 named user from any remote host to access the system.
       The entry

       hostname	+

       will allow any user from	the named host to access the system as the lo-
       cal user.

   Negative Entries
       Negative	entries	are preceded by	a `-' sign. The	form:

       -hostname

       will disallow all access	from the named host. The form:

       -@netgroup

       means  that access is explicitly	disallowed from	all hosts in the named
       netgroup. The form:

       hostname	-username

       disallows access	by the named user only from the	named host, while  the
       form:

       + -@netgroup

       will disallow access by all of the users	in the named netgroup from all
       hosts.

   Search Sequence
       To help maintain	system security,  the  /etc/hosts.equiv	 file  is  not
       checked	when access is being attempted for super-user. If the user at-
       tempting	access is not the super-user, /etc/hosts.equiv is searched for
       lines  of  the  form described above. Checks are	made for lines in this
       file in the following order:

       1.  +

       2.  +@netgroup

       3.  -@netgroup

       4.  -hostname

       5.  hostname

       The user	is granted access if a positive	match occurrs.	 Negative  en-
       tries  apply  only  to /etc/hosts.equiv and may be overridden by	subse-
       quent .rhosts entries.

       If no positive match occurred, the .rhosts file is then searched	if the
       user  attempting	 access	 maintains  such a file. This file is searched
       whether or not the user attempting access is the	super-user. As a secu-
       rity  feature,  the  .rhosts  file must be owned	by the user who	is at-
       tempting	access.	Checks are made	for lines in .rhosts in	the  following
       order:

       1.  +

       2.  +@netgroup

       3.  -@netgroup

       4.  -hostname

       5.  hostname

FILES
       /etc/hosts.equiv	       system trusted hosts and	users

       ~/.rhosts	       user's trusted hosts and	users

SEE ALSO
       rcp(1),	 rlogin(1),   rsh(1),  rcmd(3SOCKET),  hosts(4),  netgroup(4),
       passwd(4)

WARNINGS
       Positive	entries	in /etc/hosts.equiv that include a username field (ei-
       ther an individual named	user, a	netgroup, or `+' sign)	should be used
       with extreme caution. Because   /etc/hosts.equiv	 applies  system-wide,
       these  entries	allow  one,  or	a group	of, remote users to access the
       system as any local user.  This can be a	security  hole.	 For  example,
       because	of the search sequence,	an /etc/hosts.equiv file consisting of
       the entries

       +
       -hostxxx

       will not	deny access to "hostxxx".

SunOS 5.10			  23 Jun 1997			hosts.equiv(4)

NAME | DESCRIPTION | FILES | SEE ALSO | WARNINGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=hosts.equiv&sektion=4&manpath=SunOS+5.10>

home | help