1.\" $NetBSD: hosts.equiv.5,v 1.7 2004/11/25 11:40:56 wiz Exp $ 2.\" 3.\" Copyright (c) 1997 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. All advertising materials mentioning features or use of this software 15.\" must display the following acknowledgement: 16.\" This product includes software developed by the NetBSD 17.\" Foundation, Inc. and its contributors. 18.\" 4. Neither the name of The NetBSD Foundation nor the names of its 19.\" contributors may be used to endorse or promote products derived 20.\" from this software without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 23.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 24.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 25.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 26.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 27.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 28.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 29.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 30.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 31.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32.\" POSSIBILITY OF SUCH DAMAGE. 33.\" 34.Dd November 26, 1997 35.Dt HOSTS.EQUIV 5 36.Os 37.Sh NAME 38.Nm hosts.equiv , 39.Nm .rhosts 40.Nd trusted remote hosts and host-user pairs 41.Sh DESCRIPTION 42The 43.Nm hosts.equiv 44and 45.Nm .rhosts 46files list hosts and users which are 47.Dq trusted 48by the local host when a connection is made via 49.Xr rlogind 8 , 50.Xr rshd 8 , 51or any other server that uses 52.Xr ruserok 3 . 53This mechanism bypasses password checks, and is required for access via 54.Xr rsh 1 . 55.Pp 56Each line of these files has the format: 57.Pp 58.Bd -unfilled -offset indent -compact 59hostname [username] 60.Ed 61.Pp 62The 63.Em hostname 64may be specified as a host name (typically a fully qualified host 65name in a DNS environment) or address, 66.Dq Li +@netgroup 67(from which only the host names are checked), 68or a 69.Dq Li \&+ 70wildcard (allow all hosts). 71.Pp 72The 73.Em username , 74if specified, may be given as a user name on the remote host, 75.Dq Li +@netgroup 76(from which only the user names are checked), 77or a 78.Dq Li \&+ 79wildcard (allow all remote users). 80.Pp 81If a 82.Em username 83is specified, only that user from the specified host may login to the 84local machine. 85If a 86.Em username 87is not specified, any user may login with the same user name. 88.Sh EXAMPLES 89.Li somehost 90.Bd -filled -offset indent -compact 91A common usage: users on 92.Em somehost 93may login to the local host as the same user name. 94.Ed 95.Li somehost username 96.Bd -filled -offset indent -compact 97The user 98.Em username 99on 100.Em somehost 101may login to the local host. 102If specified in 103.Pa /etc/hosts.equiv , 104the user may login with only the same user name. 105.Ed 106.Li +@anetgroup username 107.Bd -filled -offset indent -compact 108The user 109.Em username 110may login to the local host from any machine listed in the netgroup 111.Em anetgroup . 112.Ed 113.Bd -literal -compact 114+ 115+ + 116.Ed 117.Bd -filled -offset indent -compact 118Two severe security hazards. 119In the first case, allows a user on any 120machine to login to the local host as the same user name. 121In the second case, allows any user on any 122machine to login to the local host (as any user, if in 123.Pa /etc/hosts.equiv ) . 124.Ed 125.Sh WARNINGS 126The username checks provided by this mechanism are 127.Em not 128secure, as the remote user name is received by the server unchecked 129for validity. 130Therefore this mechanism should only be used 131in an environment where all hosts are completely trusted. 132.Pp 133A numeric host address instead of a host name can help security 134considerations somewhat; the address is then used directly by 135.Xr iruserok 3 . 136.Pp 137When a username (or netgroup, or +) is specified in 138.Pa /etc/hosts.equiv , 139that user (or group of users, or all users, respectively) may login to 140the local host as 141.Em any local user . 142Usernames in 143.Pa /etc/hosts.equiv 144should therefore be used with extreme caution, or not at all. 145.Pp 146A 147.Pa .rhosts 148file must be owned by the user whose home directory it resides in, and 149must be writable only by that user. 150.Pp 151Logins as root only check root's 152.Pa .rhosts 153file; the 154.Pa /etc/hosts.equiv 155file is not checked for security. 156Access permitted through root's 157.Pa .rhosts 158file is typically only for 159.Xr rsh 1 , 160as root must still login on the console for an interactive login such as 161.Xr rlogin 1 . 162.Sh FILES 163.Bl -tag -width /etc/hosts.equiv -compact 164.It Pa /etc/hosts.equiv 165Global trusted host-user pairs list 166.It Pa ~/.rhosts 167Per-user trusted host-user pairs list 168.El 169.Sh SEE ALSO 170.Xr rcp 1 , 171.Xr rlogin 1 , 172.Xr rsh 1 , 173.Xr rcmd 3 , 174.Xr ruserok 3 , 175.Xr netgroup 5 176.Sh HISTORY 177The 178.Nm .rhosts 179file format appeared in 180.Bx 4.2 . 181.Sh BUGS 182The 183.Xr ruserok 3 184implementation currently skips negative entries (preceded with a 185.Dq Li \&- 186sign) and does not treat them as ``short-circuit'' negative entries. 187