man5/hosts.equiv.5

   1 .\" Copyright (c) 1995 Peter Tobias <tobias@et-inf.fho-emden.de>
   2 .\"
   3 .\" SPDX-License-Identifier: GPL-1.0-or-later
   4 .TH hosts.equiv 5 (date) "Linux man-pages (unreleased)"
   5 .SH NAME
   6 hosts.equiv \- list of hosts and users that are granted "trusted"
   7 .B r
   8 command access to your system
   9 .SH DESCRIPTION
  10 The file
  11 .I /etc/hosts.equiv
  12 allows or denies hosts and users to use
  13 the \fBr\fP-commands (e.g.,
  14 .BR rlogin ,
  15 .BR rsh ,
  16 or
  17 .BR rcp )
  18 without
  19 supplying a password.
  20 .PP
  21 The file uses the following format:
  22 .TP
  23 \fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP
  24 .PP
  25 The
  26 .I hostname
  27 is the name of a host which is logically equivalent
  28 to the local host.
  29 Users logged into that host are allowed to access
  30 like-named user accounts on the local host without supplying a password.
  31 The
  32 .I hostname
  33 may be (optionally) preceded by a plus (+) sign.
  34 If the plus sign is used alone, it allows any host to access your system.
  35 You can explicitly deny access to a host by preceding the
  36 .I hostname
  37 by a minus (\-) sign.
  38 Users from that host must always supply additional credentials,
  39 including possibly a password.
  40 For security reasons you should always
  41 use the FQDN of the hostname and not the short hostname.
  42 .PP
  43 The
  44 .I username
  45 entry grants a specific user access to all user
  46 accounts (except root) without supplying a password.
  47 That means the
  48 user is NOT restricted to like-named accounts.
  49 The
  50 .I username
  51 may
  52 be (optionally) preceded by a plus (+) sign.
  53 You can also explicitly
  54 deny access to a specific user by preceding the
  55 .I username
  56 with
  57 a minus (\-) sign.
  58 This says that the user is not trusted no matter
  59 what other entries for that host exist.
  60 .PP
  61 Netgroups can be specified by preceding the netgroup by an @ sign.
  62 .PP
  63 Be extremely careful when using the plus (+) sign.
  64 A simple typographical
  65 error could result in a standalone plus sign.
  66 A standalone plus sign is
  67 a wildcard character that means "any host"!
  68 .SH FILES
  69 .I /etc/hosts.equiv
  70 .SH NOTES
  71 Some systems will honor the contents of this file only when it has owner
  72 root and no write permission for anybody else.
  73 Some exceptionally
  74 paranoid systems even require that there be no other hard links to the file.
  75 .PP
  76 Modern systems use the Pluggable Authentication Modules library (PAM).
  77 With PAM a standalone plus sign is considered a wildcard
  78 character which means "any host" only when the word
  79 .I promiscuous
  80 is added to the auth component line in your PAM file for
  81 the particular service
  82 .RB "(e.g., " rlogin ).
  83 .SH EXAMPLES
  84 Below are some example
  85 .I /etc/host.equiv
  86 or
  87 .I \[ti]/.rhosts
  88 files.
  89 .PP
  90 Allow any user to log in from any host:
  91 .PP
  92 .in +4n
  93 .EX
  94 +
  95 .EE
  96 .in
  97 .PP
  98 Allow any user from
  99 .I host
 100 with a matching local account to log in:
 101 .PP
 102 .in +4n
 103 .EX
 104 host
 105 .EE
 106 .in
 107 .PP
 108 Note: the use of
 109 .I +host
 110 is never a valid syntax,
 111 including attempting to specify that any user from the host is allowed.
 112 .PP
 113 Allow any user from
 114 .I host
 115 to log in:
 116 .PP
 117 .in +4n
 118 .EX
 119 host +
 120 .EE
 121 .in
 122 .PP
 123 Note: this is distinct from the previous example
 124 since it does not require a matching local account.
 125 .PP
 126 Allow
 127 .I user
 128 from
 129 .I host
 130 to log in as any non-root user:
 131 .PP
 132 .in +4n
 133 .EX
 134 host user
 135 .EE
 136 .in
 137 .PP
 138 Allow all users with matching local accounts from
 139 .I host
 140 to log in except for
 141 .IR baduser :
 142 .PP
 143 .in +4n
 144 .EX
 145 host \-baduser
 146 host
 147 .EE
 148 .in
 149 .PP
 150 Deny all users from
 151 .IR host :
 152 .PP
 153 .in +4n
 154 .EX
 155 \-host
 156 .EE
 157 .in
 158 .PP
 159 Note: the use of
 160 .I "\-host\ \-user"
 161 is never a valid syntax,
 162 including attempting to specify that a particular user from the host
 163 is not trusted.
 164 .PP
 165 Allow all users with matching local accounts on all hosts in a
 166 .IR netgroup :
 167 .PP
 168 .in +4n
 169 .EX
 170 +@netgroup
 171 .EE
 172 .in
 173 .PP
 174 Disallow all users on all hosts in a
 175 .IR netgroup :
 176 .PP
 177 .in +4n
 178 .EX
 179 \-@netgroup
 180 .EE
 181 .in
 182 .PP
 183 Allow all users in a
 184 .I netgroup
 185 to log in from
 186 .I host
 187 as any non-root user:
 188 .PP
 189 .in +4n
 190 .EX
 191 host +@netgroup
 192 .EE
 193 .in
 194 .PP
 195 Allow all users with matching local accounts on all hosts in a
 196 .I netgroup
 197 except
 198 .IR baduser :
 199 .PP
 200 .in +4n
 201 .EX
 202 +@netgroup \-baduser
 203 +@netgroup
 204 .EE
 205 .in
 206 .PP
 207 Note: the deny statements must always precede the allow statements because
 208 the file is processed sequentially until the first matching rule is found.
 209 .SH SEE ALSO
 210 .BR rhosts (5),
 211 .BR rlogind (8),
 212 .BR rshd (8)