1 .\" Copyright (c) 1995 Peter Tobias <tobias@et-inf.fho-emden.de>
3 .\" SPDX-License-Identifier: GPL-1.0-or-later
4 .TH hosts.equiv 5 (date) "Linux man-pages (unreleased)"
6 hosts.equiv \- list of hosts and users that are granted "trusted"
8 command access to your system
12 allows or denies hosts and users to use
13 the \fBr\fP-commands (e.g.,
21 The file uses the following format:
23 \fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP
27 is the name of a host which is logically equivalent
29 Users logged into that host are allowed to access
30 like-named user accounts on the local host without supplying a password.
33 may be (optionally) preceded by a plus (+) sign.
34 If the plus sign is used alone, it allows any host to access your system.
35 You can explicitly deny access to a host by preceding the
38 Users from that host must always supply additional credentials,
39 including possibly a password.
40 For security reasons you should always
41 use the FQDN of the hostname and not the short hostname.
45 entry grants a specific user access to all user
46 accounts (except root) without supplying a password.
48 user is NOT restricted to like-named accounts.
52 be (optionally) preceded by a plus (+) sign.
53 You can also explicitly
54 deny access to a specific user by preceding the
58 This says that the user is not trusted no matter
59 what other entries for that host exist.
61 Netgroups can be specified by preceding the netgroup by an @ sign.
63 Be extremely careful when using the plus (+) sign.
64 A simple typographical
65 error could result in a standalone plus sign.
66 A standalone plus sign is
67 a wildcard character that means "any host"!
71 Some systems will honor the contents of this file only when it has owner
72 root and no write permission for anybody else.
74 paranoid systems even require that there be no other hard links to the file.
76 Modern systems use the Pluggable Authentication Modules library (PAM).
77 With PAM a standalone plus sign is considered a wildcard
78 character which means "any host" only when the word
80 is added to the auth component line in your PAM file for
81 the particular service
82 .RB "(e.g., " rlogin ).
84 Below are some example
90 Allow any user to log in from any host:
100 with a matching local account to log in:
110 is never a valid syntax,
111 including attempting to specify that any user from the host is allowed.
123 Note: this is distinct from the previous example
124 since it does not require a matching local account.
130 to log in as any non-root user:
138 Allow all users with matching local accounts from
161 is never a valid syntax,
162 including attempting to specify that a particular user from the host
165 Allow all users with matching local accounts on all hosts in a
174 Disallow all users on all hosts in a
187 as any non-root user:
195 Allow all users with matching local accounts on all hosts in a
207 Note: the deny statements must always precede the allow statements because
208 the file is processed sequentially until the first matching rule is found.