]> git.saurik.com Git - apple/libinfo.git/blame - util.subproj/hosts.equiv.5
Libinfo-459.40.1.tar.gz
[apple/libinfo.git] / util.subproj / hosts.equiv.5
CommitLineData
ccd4a120
A
1.\" $OpenBSD: hosts.equiv.5,v 1.1 1997/11/30 05:35:25 deraadt Exp $
2.\"
3.\" Copyright (c) 1997 Todd Vierling
4.\" Copyright (c) 1997 The NetBSD Foundation, Inc.
5.\" All rights reserved.
6.\"
7.\" This code is derived from software contributed to The NetBSD Foundation
8.\" by Todd Vierling <tv@pobox.com>.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\" notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\" notice, this list of conditions and the following disclaimer in the
17.\" documentation and/or other materials provided with the distribution.
18.\" 3. All advertising materials mentioning features or use of this software
19.\" must display the following acknowledgement:
20.\" This product includes software developed by the NetBSD
21.\" Foundation, Inc. and its contributors.
22.\" 4. Neither the name of The NetBSD Foundation nor the names of its
23.\" contributors may be used to endorse or promote products derived
24.\" from this software without specific prior written permission.
25.\"
26.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
27.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
28.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
29.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
30.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
31.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
32.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
33.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
34.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
35.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
36.\" POSSIBILITY OF SUCH DAMAGE.
37.\"
38.Dd November 26, 1997
39.Dt HOSTS.EQUIV 5
40.Os
41.Sh NAME
42.Nm hosts.equiv ,
43.Nm .rhosts
44.Nd trusted remote hosts and host-user pairs
45.Sh DESCRIPTION
46The
47.Nm hosts.equiv
48and
49.Nm .rhosts
50files list hosts and users which are ``trusted'' by the local host when a
51connection is made via
52.Xr rlogind 8 ,
53.Xr rshd 8 ,
54or any other server that uses
55.Xr ruserok 3 .
56This mechanism bypasses password checks, and is required for access via
57.Xr rsh 1 .
58.Pp
59Each line of these files has the format:
60.Pp
61.Bd -unfilled -offset indent -compact
62hostname [username]
63.Ed
64.Pp
65The
66.Em hostname
67may be specified as a host name (typically a fully qualified host
68name in a DNS environment) or address,
69.Em +@netgroup
70(from which only the host names are checked),
71or a ``+'' wildcard (allow all hosts).
72.Pp
73The
74.Em username ,
75if specified, may be given as a user name on the remote host,
76.Em +@netgroup
77(from which only the user names are checked),
78or a ``+'' wildcard (allow all remote users).
79.Pp
80If a
81.Em username
82is specified, only that user from the specified host may login to the
83local machine. If a
84.Em username
85is not specified, any user may login with the same user name.
86.Sh EXAMPLES
87.Li somehost
88.Bd -filled -offset indent -compact
89A common usage: users on
90.Em somehost
91may login to the local host as the same user name.
92.Ed
93.Li somehost username
94.Bd -filled -offset indent -compact
95The user
96.Em username
97on
98.Em somehost
99may login to the local host. If specified in
100.Em /etc/hosts.equiv ,
101the user may login with only the same user name.
102.Ed
103.Li +@anetgroup username
104.Bd -filled -offset indent -compact
105The user
106.Em username
107may login to the local host from any machine listed in the netgroup
108.Em anetgroup .
109.Ed
110.Bd -literal -compact
111+
112+ +
113.Ed
114.Bd -filled -offset indent -compact
115Two severe security hazards. In the first case, allows a user on any
116machine to login to the local host as the same user name. In the second
117case, allows any user on any machine to login to the local host (as any
118user, if in
119.Em /etc/hosts.equiv ) .
120.Ed
121.Sh WARNINGS
122The username checks provided by this mechanism are
123.Em not
124secure, as the remote user name is received by the server unchecked
125for validity. Therefore this mechanism should only be used
126in an environment where all hosts are completely trusted.
127.Pp
128A numeric host address instead of a host name can help security
129considerations somewhat; the address is then used directly by
130.Xr iruserok 3 .
131.Pp
132When a username (or netgroup, or +) is specified in
133.Em /etc/hosts.equiv ,
134that user (or group of users, or all users, respectively) may login to
135the local host as
136.Em any local user .
137Usernames in
138.Em /etc/hosts.equiv
139should therefore be used with extreme caution, or not at all.
140.Pp
141A
142.Em .rhosts
143file must be owned by the user whose home directory it resides in, and
144must be writable only by that user.
145.Pp
146Logins as root only check root's
147.Em .rhosts
148file; the
149.Em /etc/hosts.equiv
150file is not checked for security. Access permitted through root's
151.Em .rhosts
152file is typically only for
153.Xr rsh 1 ,
154as root must still login on the console for an interactive login such as
155.Xr rlogin 1 .
156.Sh FILES
157.Bl -tag -width /etc/hosts.equiv -compact
158.It Pa /etc/hosts.equiv
159Global trusted host-user pairs list
160.It Pa ~/.rhosts
161Per-user trusted host-user pairs list
162.El
163.Sh SEE ALSO
164.Xr rcp 1 ,
165.Xr rlogin 1 ,
166.Xr rsh 1 ,
167.Xr rcmd 3 ,
168.Xr ruserok 3 ,
169.Xr netgroup 5
ccd4a120
A
170.Sh HISTORY
171The
172.Nm .rhosts
173file format appeared in
174.Bx 4.2 .
175.Sh BUGS
176The
177.Xr ruserok 3
178implementation currently skips negative entries (preceded with a
179``-'' sign) and does not treat them as ``short-circuit'' negative entries.