Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
HOSTS.EQUIV(5)		    BSD	File Formats Manual		HOSTS.EQUIV(5)

     hosts.equiv, .rhosts -- trusted remote hosts and host-user	pairs

     The hosts.equiv and .rhosts files list hosts and users which are
     "trusted" by the local host when a	connection is made via rlogind(8),
     rshd(8), or any other server that uses ruserok(3).	 This mechanism	by-
     passes password checks, and is required for access	via rsh(1).

     Each line of these	files has the format:

	   hostname [username]

     The hostname may be specified as a	host name (typically a fully qualified
     host name in a DNS	environment) or	address, "+@netgroup" (from which only
     the host names are	checked), or a "+" wildcard (allow all hosts).

     The username, if specified, may be	given as a user	name on	the remote
     host, "+@netgroup"	(from which only the user names	are checked), or a "+"
     wildcard (allow all remote	users).

     If	a username is specified, only that user	from the specified host	may
     login to the local	machine.  If a username	is not specified, any user may
     login with	the same user name.

	   A common usage:  users on somehost may login	to the local  host  as
	   the same user name.
     somehost username
	   The	user  username	on  somehost  may login	to the local host.  If
	   specified in	/etc/hosts.equiv, the user may	login  with  only  the
	   same	user name.
     +@anetgroup username
	   The	user  username	may  login  to the local host from any machine
	   listed in the netgroup anetgroup.
     + +
	   Two severe security hazards.	 In the	first case, allows a  user  on
	   any	machine	 to login to the local host as the same	user name.  In
	   the second case, allows any user on any machine to login to the lo-
	   cal host (as	any user, if in	/etc/hosts.equiv).

     The username checks provided by this mechanism are	not secure, as the re-
     mote user name is received	by the server unchecked	for validity.  There-
     fore this mechanism should	only be	used in	an environment where all hosts
     are completely trusted.

     A numeric host address instead of a host name can help security consider-
     ations somewhat; the address is then used directly	by iruserok(3).

     When a username (or netgroup, or +) is specified in /etc/hosts.equiv,
     that user (or group of users, or all users, respectively) may login to
     the local host as any local user.	Usernames in /etc/hosts.equiv should
     therefore be used with extreme caution, or	not at all.

     A .rhosts file must be owned by the user whose home directory it resides
     in, and must be writable only by that user.

     Logins as root only check root's .rhosts file; the	/etc/hosts.equiv file
     is	not checked for	security.  Access permitted through root's .rhosts
     file is typically only for	rsh(1),	as root	must still login on the	con-
     sole for an interactive login such	as rlogin(1).

     /etc/hosts.equiv  Global trusted host-user	pairs list
     ~/.rhosts	       Per-user	trusted	host-user pairs	list

     rcp(1), rlogin(1),	rsh(1),	rcmd(3), ruserok(3), netgroup(5)

     The .rhosts file format appeared in 4.2BSD.

     The ruserok(3) implementation currently skips negative entries (preceded
     with a "-"	sign) and does not treat them as ``short-circuit'' negative

BSD			       November	26, 1997			   BSD


Want to link to this manual page? Use this URL:

home | help