hosts.equiv(4) hosts.equiv(4)
NAME [Toc] [Back]
hosts.equiv, .rhosts - security files authorizing access by remote
hosts and users on local host
DESCRIPTION [Toc] [Back]
The /etc/hosts.equiv file and files named .rhosts found in users' home
directories specify remote hosts and users that are "equivalent" to
the local host or user. Users from equivalent remote hosts are
permitted to access a local account using rcp or remsh or to rlogin to
the local account without supplying a password (see rcp(1), remsh(1),
and rlogin(1)). The security provided by hosts.equiv is implemented
by the ruserok() library routine, (see rcmd(3N)).
In this description, hostequiv means either the system
/etc/hosts.equiv file or the user .rhosts file. Note that .rhosts
must be owned either by the root or by the user in whose home
directory it is found and it must not be a symbolic link. The
/etc/hosts.equiv file defines system-wide equivalency, whereas a
user's .rhosts file defines equivalency between the local user and any
remote users to whom the local user chooses to allow or deny access.
An entry in the hostequiv file is a single line (no continuations) in
the format:
[hostname [username]] [#comment]
Thus, it can be:
+ A blank line.
+ A comment line, beginning with a #.
+ A host name, optionally followed by a comment.
+ A host name and user name, optionally followed by a comment.
A host or user name is a string of printable characters,
excluding whitespace, newlines, and #.
Names are separated by whitespace.
For a user to be granted access, both the remote host name and the
user name must "match" an entry in hostequiv. When a request is made
for access, the /etc/hosts.equiv file is searched first. If a match
is found, access is permitted. If no match is found, the .rhosts file
is searched, if one exists in the local user's home directory. If the
local user is a superuser, /etc/hosts.equiv is ignored.
A host name or user name must match the corresponding field entry in
hostequiv in one of the following ways:
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
hosts.equiv(4) hosts.equiv(4)
Literal match A host name in hostequiv can literally
match the official host name (not an
alias) of the remote host.
A user name in hostequiv can literally
match the remote user name. For a user
name to have literal match in the
/etc/hosts.equiv file, the remote user
name must literally match the local user
name.
Domain-extended match The remote host name to be compared with
entries in hostequiv is typically the
official host name returned by
gethostbyaddr() (see gethostent(3N)).
In a domain-naming environment, this is
a domain-qualified name. If a host name
in hostequiv does not literally match
the remote host name, the host name in
hostequiv with the local domain name
appended may match the remote host name.
-name If the host name in hostequiv is of this
form, and if name literally matches the
remote host name or if name with the
local domain name appended matches the
remote host name, access is denied
regardless of the user name.
If the user name in hostequiv is of this
form, and name literally matches the
remote user name, access is denied.
Even if access is denied in this way by
/etc/hosts.equiv, access can still be
allowed by .rhosts.
+ Any remote host name matches the host
name + in hostequiv.
Any remote user matches the user name +.
+@netgroup_name netgroup_name is the name of a network
group as defined in netgroup(4). If the
host name in hostequiv is of this form,
the remote host name (only) must match
the specified network group according to
the rules defined in netgroup(4) in
order for the host name to match.
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003
hosts.equiv(4) hosts.equiv(4)
Similarly, if the user name in hostequiv
is of this form, the remote user name
(only) must match the specified network
group in order for the user name to
match.
-@netgroup_name netgroup_name is the name of a network
group as defined in netgroup(4). If the
host name in hostequiv is of this form,
and if the remote host name (only)
matches the specified network group
according to the rules defined in
netgroup(4), access is denied.
Similarly, if the user name in hostequiv
is of this form, and if the remote user
name (only) matches the specified
network group, access is denied.
Even if access is denied in this way by
/etc/hosts.equiv, access can still be
allowed by .rhosts.
EXAMPLES [Toc] [Back]
1. /etc/hosts.equiv on hostA contains the line:
hostB
and /etc/hosts.equiv on hostB is empty. User chm on hostB can
use remsh to hostA, or rlogin to account chm on hostA without
being prompted for a password. chm will, however, be prompted
for a password with rlogin, or denied access with remsh, from
hostA to hostB.
If .rhosts in the home directory of user chm on hostB contains:
hostA
or
hostA chm
then user chm can access hostB from hostA.
2. hostA is in the domain arg.bob.com. hostB and hostC are in the
domain oink.bob.com. .rhosts in the home directory of user chm
on hostB contains:
hostC
hostA
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: August 2003
hosts.equiv(4) hosts.equiv(4)
User chm can access hostB from hostC, since hostC.oink.bob.com
matches hostC with hostB's local domain oink.bob.com appended.
But user chm from hostA cannot access hostB, since
hostA.arg.bob.com does not match hostA.oink.bob.com. In order
for user chm to be able to access hostB from hostA, chm's .rhosts
file on hostB must contain:
hostA.arg.bob.com
since hostA is in a different domain.
3. .rhosts in the home directory of user chm on hostA contains:
hostB root
/etc/hosts.equiv on hostB contains the line:
hostA
However, there is no file .rhosts in the home directory of user
chm on hostB. The user root on hostB can rlogin to account chm
on hostA without being prompted for a password, but root on hostA
cannot rlogin to account chm on hostB.
4. .rhosts in the home directory of user chm on hostA contains:
+
-hostB
+ root
User chm from any host is allowed to access account chm on hostA.
User root from any host except hostB can access account chm on
hostA.
5. /etc/hosts.equiv on hostA contains the lines:
+ -chm
hostB
Any user from hostB except chm is allowed to access an account on
hostA with the same user name. However, if .rhosts in the home
directory of user chm on hostA contains:
hostB
then user chm from hostB can access account chm on hostA.
6. /etc/hosts.equiv on hostA contains the line:
+@example_group
Hewlett-Packard Company - 4 - HP-UX 11i Version 2: August 2003
hosts.equiv(4) hosts.equiv(4)
The network group example_group consists of:
example_group ( , ,EXAMPLE_DOMAIN)
If hostA is not running Network Information Service (NIS), user
chm on any host can access account chm on hostA.
If hostA is running Network Information Service (NIS), and hostA
is in the domain EXAMPLE_DOMAIN, user chm on any host, whether in
EXAMPLE_DOMAIN or not, can access account chm on hostA.
However, if .rhosts in the home directory of user chm on hostA
contains the line:
-@example_group
and hostA is either not running Network Information Service (NIS)
or is in domain EXAMPLE_DOMAIN, no user chm on any host can
access the account chm on hostA. If hostA is running Network
Information Service (NIS) but is not in the domain
EXAMPLE_DOMAIN, this line has no effect.
7. /etc/hosts.equiv on hostA contains the line:
-@example_group
The network group example_group consists of:
example_group (hostB, ,)
All users on hostB are denied access to hostA.
However, if .rhosts in the home directory of a user on hostA
contains any of the following lines:
+@example_group chm
hostB chm
+ chm
then user chm on hostB can access that account on hostA.
WARNINGS [Toc] [Back]
For security purposes, the files /etc/hosts.equiv and .rhosts should
exist and be readable and writable only by the owner, even if they are
empty.
Care must be exercised when creating the /etc/hosts.equiv
The -l option to remshd and rlogind prevents any authentication based
on .rhosts files for users other than a superuser.
Hewlett-Packard Company - 5 - HP-UX 11i Version 2: August 2003
hosts.equiv(4) hosts.equiv(4)
AUTHOR [Toc] [Back]
hosts.equiv was developed by the University of California, Berkeley.
The +, -name, +@netgroup_name, and -@netgroup_name, extensions were
developed by Sun Microsystems, Inc.
FILES [Toc] [Back]
$HOME/.rhosts
/etc/hosts.equiv
SEE ALSO [Toc] [Back]
rcp(1), rdist(1), remsh(1), rlogin(1), remshd(1M), rlogind(1M),
gethostent(3N), rcmd(3N), netgroup(4).
Hewlett-Packard Company - 6 - HP-UX 11i Version 2: August 2003 [ Back ] |
