1.\" $NetBSD: hosts.equiv.5,v 1.5 2002/01/21 17:41:01 wiz Exp $ 2.\" 3.\" Copyright (c) 1997 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. All advertising materials mentioning features or use of this software 15.\" must display the following acknowledgement: 16.\" This product includes software developed by the NetBSD 17.\" Foundation, Inc. and its contributors. 18.\" 4. Neither the name of The NetBSD Foundation nor the names of its 19.\" contributors may be used to endorse or promote products derived 20.\" from this software without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 23.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 24.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 25.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 26.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 27.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 28.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 29.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 30.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 31.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32.\" POSSIBILITY OF SUCH DAMAGE. 33.\" 34.Dd November 26, 1997 35.Dt HOSTS.EQUIV 5 36.Os 37.Sh NAME 38.Nm hosts.equiv , 39.Nm .rhosts 40.Nd trusted remote hosts and host-user pairs 41.Sh DESCRIPTION 42The 43.Nm hosts.equiv 44and 45.Nm .rhosts 46files list hosts and users which are 47.Dq trusted 48by the local host when a connection is made via 49.Xr rlogind 8 , 50.Xr rshd 8 , 51or any other server that uses 52.Xr ruserok 3 . 53This mechanism bypasses password checks, and is required for access via 54.Xr rsh 1 . 55.Pp 56Each line of these files has the format: 57.Pp 58.Bd -unfilled -offset indent -compact 59hostname [username] 60.Ed 61.Pp 62The 63.Em hostname 64may be specified as a host name (typically a fully qualified host 65name in a DNS environment) or address, 66.Dq Li +@netgroup 67(from which only the host names are checked), 68or a 69.Dq Li \&+ 70wildcard (allow all hosts). 71.Pp 72The 73.Em username , 74if specified, may be given as a user name on the remote host, 75.Dq Li +@netgroup 76(from which only the user names are checked), 77or a 78.Dq Li \&+ 79wildcard (allow all remote users). 80.Pp 81If a 82.Em username 83is specified, only that user from the specified host may login to the 84local machine. If a 85.Em username 86is not specified, any user may login with the same user name. 87.Sh EXAMPLES 88.Li somehost 89.Bd -filled -offset indent -compact 90A common usage: users on 91.Em somehost 92may login to the local host as the same user name. 93.Ed 94.Li somehost username 95.Bd -filled -offset indent -compact 96The user 97.Em username 98on 99.Em somehost 100may login to the local host. If specified in 101.Em /etc/hosts.equiv , 102the user may login with only the same user name. 103.Ed 104.Li +@anetgroup username 105.Bd -filled -offset indent -compact 106The user 107.Em username 108may login to the local host from any machine listed in the netgroup 109.Em anetgroup . 110.Ed 111.Bd -literal -compact 112+ 113+ + 114.Ed 115.Bd -filled -offset indent -compact 116Two severe security hazards. In the first case, allows a user on any 117machine to login to the local host as the same user name. In the second 118case, allows any user on any machine to login to the local host (as any 119user, if in 120.Em /etc/hosts.equiv ) . 121.Ed 122.Sh WARNINGS 123The username checks provided by this mechanism are 124.Em not 125secure, as the remote user name is received by the server unchecked 126for validity. Therefore this mechanism should only be used 127in an environment where all hosts are completely trusted. 128.Pp 129A numeric host address instead of a host name can help security 130considerations somewhat; the address is then used directly by 131.Xr iruserok 3 . 132.Pp 133When a username (or netgroup, or +) is specified in 134.Em /etc/hosts.equiv , 135that user (or group of users, or all users, respectively) may login to 136the local host as 137.Em any local user . 138Usernames in 139.Em /etc/hosts.equiv 140should therefore be used with extreme caution, or not at all. 141.Pp 142A 143.Em .rhosts 144file must be owned by the user whose home directory it resides in, and 145must be writable only by that user. 146.Pp 147Logins as root only check root's 148.Em .rhosts 149file; the 150.Em /etc/hosts.equiv 151file is not checked for security. Access permitted through root's 152.Em .rhosts 153file is typically only for 154.Xr rsh 1 , 155as root must still login on the console for an interactive login such as 156.Xr rlogin 1 . 157.Sh FILES 158.Bl -tag -width /etc/hosts.equiv -compact 159.It Pa /etc/hosts.equiv 160Global trusted host-user pairs list 161.It Pa ~/.rhosts 162Per-user trusted host-user pairs list 163.El 164.Sh SEE ALSO 165.Xr rcp 1 , 166.Xr rlogin 1 , 167.Xr rsh 1 , 168.Xr rcmd 3 , 169.Xr ruserok 3 , 170.Xr netgroup 5 171.Sh HISTORY 172The 173.Nm .rhosts 174file format appeared in 175.Bx 4.2 . 176.Sh BUGS 177The 178.Xr ruserok 3 179implementation currently skips negative entries (preceded with a 180.Dq Li \&- 181sign) and does not treat them as ``short-circuit'' negative entries. 182