1.\" $NetBSD: hosts.equiv.5,v 1.3 1999/04/06 02:52:40 tv Exp $ 2.\" 3.\" Copyright (c) 1997 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. All advertising materials mentioning features or use of this software 15.\" must display the following acknowledgement: 16.\" This product includes software developed by the NetBSD 17.\" Foundation, Inc. and its contributors. 18.\" 4. Neither the name of The NetBSD Foundation nor the names of its 19.\" contributors may be used to endorse or promote products derived 20.\" from this software without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 23.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 24.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 25.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 26.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 27.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 28.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 29.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 30.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 31.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32.\" POSSIBILITY OF SUCH DAMAGE. 33.\" 34.Dd November 26, 1997 35.Dt HOSTS.EQUIV 5 36.Os 37.Sh NAME 38.Nm hosts.equiv , 39.Nm .rhosts 40.Nd trusted remote hosts and host-user pairs 41.Sh DESCRIPTION 42The 43.Nm hosts.equiv 44and 45.Nm .rhosts 46files list hosts and users which are ``trusted'' by the local host when a 47connection is made via 48.Xr rlogind 8 , 49.Xr rshd 8 , 50or any other server that uses 51.Xr ruserok 3 . 52This mechanism bypasses password checks, and is required for access via 53.Xr rsh 1 . 54.Pp 55Each line of these files has the format: 56.Pp 57.Bd -unfilled -offset indent -compact 58hostname [username] 59.Ed 60.Pp 61The 62.Em hostname 63may be specified as a host name (typically a fully qualified host 64name in a DNS environment) or address, 65.Em +@netgroup 66(from which only the host names are checked), 67or a ``+'' wildcard (allow all hosts). 68.Pp 69The 70.Em username , 71if specified, may be given as a user name on the remote host, 72.Em +@netgroup 73(from which only the user names are checked), 74or a ``+'' wildcard (allow all remote users). 75.Pp 76If a 77.Em username 78is specified, only that user from the specified host may login to the 79local machine. If a 80.Em username 81is not specified, any user may login with the same user name. 82.Sh EXAMPLES 83.Li somehost 84.Bd -filled -offset indent -compact 85A common usage: users on 86.Em somehost 87may login to the local host as the same user name. 88.Ed 89.Li somehost username 90.Bd -filled -offset indent -compact 91The user 92.Em username 93on 94.Em somehost 95may login to the local host. If specified in 96.Em /etc/hosts.equiv , 97the user may login with only the same user name. 98.Ed 99.Li +@anetgroup username 100.Bd -filled -offset indent -compact 101The user 102.Em username 103may login to the local host from any machine listed in the netgroup 104.Em anetgroup . 105.Ed 106.Bd -literal -compact 107+ 108+ + 109.Ed 110.Bd -filled -offset indent -compact 111Two severe security hazards. In the first case, allows a user on any 112machine to login to the local host as the same user name. In the second 113case, allows any user on any machine to login to the local host (as any 114user, if in 115.Em /etc/hosts.equiv ) . 116.Ed 117.Sh WARNINGS 118The username checks provided by this mechanism are 119.Em not 120secure, as the remote user name is received by the server unchecked 121for validity. Therefore this mechanism should only be used 122in an environment where all hosts are completely trusted. 123.Pp 124A numeric host address instead of a host name can help security 125considerations somewhat; the address is then used directly by 126.Xr iruserok 3 . 127.Pp 128When a username (or netgroup, or +) is specified in 129.Em /etc/hosts.equiv , 130that user (or group of users, or all users, respectively) may login to 131the local host as 132.Em any local user . 133Usernames in 134.Em /etc/hosts.equiv 135should therefore be used with extreme caution, or not at all. 136.Pp 137A 138.Em .rhosts 139file must be owned by the user whose home directory it resides in, and 140must be writable only by that user. 141.Pp 142Logins as root only check root's 143.Em .rhosts 144file; the 145.Em /etc/hosts.equiv 146file is not checked for security. Access permitted through root's 147.Em .rhosts 148file is typically only for 149.Xr rsh 1 , 150as root must still login on the console for an interactive login such as 151.Xr rlogin 1 . 152.Sh FILES 153.Bl -tag -width /etc/hosts.equiv -compact 154.It Pa /etc/hosts.equiv 155Global trusted host-user pairs list 156.It Pa ~/.rhosts 157Per-user trusted host-user pairs list 158.El 159.Sh SEE ALSO 160.Xr rcp 1 , 161.Xr rlogin 1 , 162.Xr rsh 1 , 163.Xr rcmd 3 , 164.Xr ruserok 3 , 165.Xr netgroup 5 166.Re 167.Sh HISTORY 168The 169.Nm .rhosts 170file format appeared in 171.Bx 4.2 . 172.Sh BUGS 173The 174.Xr ruserok 3 175implementation currently skips negative entries (preceded with a 176``-'' sign) and does not treat them as ``short-circuit'' negative entries. 177