1.\" $NetBSD: hosts.equiv.5,v 1.8 2008/04/30 13:10:57 martin Exp $ 2.\" 3.\" Copyright (c) 1997 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25.\" POSSIBILITY OF SUCH DAMAGE. 26.\" 27.Dd November 26, 1997 28.Dt HOSTS.EQUIV 5 29.Os 30.Sh NAME 31.Nm hosts.equiv , 32.Nm .rhosts 33.Nd trusted remote hosts and host-user pairs 34.Sh DESCRIPTION 35The 36.Nm hosts.equiv 37and 38.Nm .rhosts 39files list hosts and users which are 40.Dq trusted 41by the local host when a connection is made via 42.Xr rlogind 8 , 43.Xr rshd 8 , 44or any other server that uses 45.Xr ruserok 3 . 46This mechanism bypasses password checks, and is required for access via 47.Xr rsh 1 . 48.Pp 49Each line of these files has the format: 50.Pp 51.Bd -unfilled -offset indent -compact 52hostname [username] 53.Ed 54.Pp 55The 56.Em hostname 57may be specified as a host name (typically a fully qualified host 58name in a DNS environment) or address, 59.Dq Li +@netgroup 60(from which only the host names are checked), 61or a 62.Dq Li \&+ 63wildcard (allow all hosts). 64.Pp 65The 66.Em username , 67if specified, may be given as a user name on the remote host, 68.Dq Li +@netgroup 69(from which only the user names are checked), 70or a 71.Dq Li \&+ 72wildcard (allow all remote users). 73.Pp 74If a 75.Em username 76is specified, only that user from the specified host may login to the 77local machine. 78If a 79.Em username 80is not specified, any user may login with the same user name. 81.Sh EXAMPLES 82.Li somehost 83.Bd -filled -offset indent -compact 84A common usage: users on 85.Em somehost 86may login to the local host as the same user name. 87.Ed 88.Li somehost username 89.Bd -filled -offset indent -compact 90The user 91.Em username 92on 93.Em somehost 94may login to the local host. 95If specified in 96.Pa /etc/hosts.equiv , 97the user may login with only the same user name. 98.Ed 99.Li +@anetgroup username 100.Bd -filled -offset indent -compact 101The user 102.Em username 103may login to the local host from any machine listed in the netgroup 104.Em anetgroup . 105.Ed 106.Bd -literal -compact 107+ 108+ + 109.Ed 110.Bd -filled -offset indent -compact 111Two severe security hazards. 112In the first case, allows a user on any 113machine to login to the local host as the same user name. 114In the second case, allows any user on any 115machine to login to the local host (as any user, if in 116.Pa /etc/hosts.equiv ) . 117.Ed 118.Sh WARNINGS 119The username checks provided by this mechanism are 120.Em not 121secure, as the remote user name is received by the server unchecked 122for validity. 123Therefore this mechanism should only be used 124in an environment where all hosts are completely trusted. 125.Pp 126A numeric host address instead of a host name can help security 127considerations somewhat; the address is then used directly by 128.Xr iruserok 3 . 129.Pp 130When a username (or netgroup, or +) is specified in 131.Pa /etc/hosts.equiv , 132that user (or group of users, or all users, respectively) may login to 133the local host as 134.Em any local user . 135Usernames in 136.Pa /etc/hosts.equiv 137should therefore be used with extreme caution, or not at all. 138.Pp 139A 140.Pa .rhosts 141file must be owned by the user whose home directory it resides in, and 142must be writable only by that user. 143.Pp 144Logins as root only check root's 145.Pa .rhosts 146file; the 147.Pa /etc/hosts.equiv 148file is not checked for security. 149Access permitted through root's 150.Pa .rhosts 151file is typically only for 152.Xr rsh 1 , 153as root must still login on the console for an interactive login such as 154.Xr rlogin 1 . 155.Sh FILES 156.Bl -tag -width /etc/hosts.equiv -compact 157.It Pa /etc/hosts.equiv 158Global trusted host-user pairs list 159.It Pa ~/.rhosts 160Per-user trusted host-user pairs list 161.El 162.Sh SEE ALSO 163.Xr rcp 1 , 164.Xr rlogin 1 , 165.Xr rsh 1 , 166.Xr rcmd 3 , 167.Xr ruserok 3 , 168.Xr netgroup 5 169.Sh HISTORY 170The 171.Nm .rhosts 172file format appeared in 173.Bx 4.2 . 174.Sh BUGS 175The 176.Xr ruserok 3 177implementation currently skips negative entries (preceded with a 178.Dq Li \&- 179sign) and does not treat them as ``short-circuit'' negative entries. 180