]>
Commit | Line | Data |
---|---|---|
fea681da | 1 | .\" Copyright (c) 1995 Peter Tobias <tobias@et-inf.fho-emden.de> |
2297bf0e | 2 | .\" |
fd0fc519 | 3 | .\" %%%LICENSE_START(GPL_NOVERSION_ONELINE) |
fea681da | 4 | .\" This file may be distributed under the GNU General Public License. |
fd0fc519 | 5 | .\" %%%LICENSE_END |
5722c835 | 6 | .TH HOSTS.EQUIV 5 2015-07-23 "Linux" "Linux Programmer's Manual" |
fea681da | 7 | .SH NAME |
a7af04ef | 8 | hosts.equiv \- list of hosts and users that are granted "trusted" |
c6fa0841 MK |
9 | .B r |
10 | command access to your system | |
fea681da | 11 | .SH DESCRIPTION |
23289769 MK |
12 | The file |
13 | .I /etc/hosts.equiv | |
14 | allows or denies hosts and users to use | |
c6fa0841 MK |
15 | the \fBr\fP-commands (e.g., |
16 | .BR rlogin , | |
12ccb8fc | 17 | .BR rsh , |
c6fa0841 MK |
18 | or |
19 | .BR rcp ) | |
20 | without | |
fea681da MK |
21 | supplying a password. |
22 | .PP | |
23 | The file uses the following format: | |
24 | .TP | |
427cee53 | 25 | \fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP |
fea681da | 26 | .PP |
c6fa0841 MK |
27 | The |
28 | .I hostname | |
29 | is the name of a host which is logically equivalent | |
c13182ef MK |
30 | to the local host. |
31 | Users logged into that host are allowed to access | |
fea681da | 32 | like-named user accounts on the local host without supplying a password. |
c6fa0841 MK |
33 | The |
34 | .I hostname | |
35 | may be (optionally) preceded by a plus (+) sign. | |
bbc688df | 36 | If the plus sign is used alone, it allows any host to access your system. |
c6fa0841 MK |
37 | You can explicitly deny access to a host by preceding the |
38 | .I hostname | |
c13182ef | 39 | by a minus (\-) sign. |
427cee53 CD |
40 | Users from that host must always supply additional credentials, |
41 | including possibly a password. For security reasons you should always | |
42 | use the FQDN of the hostname and not the short hostname. | |
fea681da | 43 | .PP |
c6fa0841 MK |
44 | The |
45 | .I username | |
46 | entry grants a specific user access to all user | |
c13182ef MK |
47 | accounts (except root) without supplying a password. |
48 | That means the | |
49 | user is NOT restricted to like-named accounts. | |
c6fa0841 MK |
50 | The |
51 | .I username | |
52 | may | |
c13182ef MK |
53 | be (optionally) preceded by a plus (+) sign. |
54 | You can also explicitly | |
c6fa0841 MK |
55 | deny access to a specific user by preceding the |
56 | .I username | |
57 | with | |
c13182ef MK |
58 | a minus (\-) sign. |
59 | This says that the user is not trusted no matter | |
fea681da MK |
60 | what other entries for that host exist. |
61 | .PP | |
62 | Netgroups can be specified by preceding the netgroup by an @ sign. | |
63 | .PP | |
c13182ef MK |
64 | Be extremely careful when using the plus (+) sign. |
65 | A simple typographical | |
66 | error could result in a standalone plus sign. | |
67 | A standalone plus sign is | |
fea681da MK |
68 | a wildcard character that means "any host"! |
69 | .SH FILES | |
70 | .I /etc/hosts.equiv | |
71 | .SH NOTES | |
33a0ccb2 | 72 | Some systems will honor the contents of this file only when it has owner |
c13182ef MK |
73 | root and no write permission for anybody else. |
74 | Some exceptionally | |
fea681da MK |
75 | paranoid systems even require that there be no other hard links to the file. |
76 | .PP | |
77 | Modern systems use the Pluggable Authentication Modules library (PAM). | |
33a0ccb2 MK |
78 | With PAM a standalone plus sign is considered a wildcard |
79 | character which means "any host" only when the word | |
fea681da MK |
80 | .I promiscuous |
81 | is added to the auth component line in your PAM file for | |
82 | the particular service | |
75b94dc3 | 83 | .RB "(e.g., " rlogin ). |
427cee53 | 84 | .SH EXAMPLE |
9e7cff75 | 85 | Below are some example |
427cee53 CD |
86 | .I /etc/host.equiv |
87 | or | |
88 | .I ~/.rhosts | |
9e7cff75 MK |
89 | files. |
90 | ||
e7fd5cc2 | 91 | Allow any user to log in from any host: |
427cee53 | 92 | |
9e7cff75 MK |
93 | + |
94 | ||
95 | Allow any user from | |
96 | .I host | |
e7fd5cc2 | 97 | with a matching local account to log in: |
9e7cff75 MK |
98 | |
99 | host | |
100 | ||
101 | Note: the use of | |
102 | .I +host | |
103 | is never a valid syntax, | |
104 | including attempting to specify that any user from the host is allowed. | |
105 | ||
106 | Allow any user from | |
107 | .I host | |
e7fd5cc2 | 108 | to log in: |
9e7cff75 MK |
109 | |
110 | host + | |
111 | ||
112 | Note: this is distinct from the previous example | |
113 | since it does not require a matching local account. | |
114 | ||
115 | Allow | |
116 | .I user | |
117 | from | |
118 | .I host | |
ba5ed753 | 119 | to log in as any non-root user: |
9e7cff75 MK |
120 | |
121 | host user | |
122 | ||
123 | Allow all users with matching local accounts from | |
124 | .I host | |
e7fd5cc2 | 125 | to log in except for |
9e7cff75 MK |
126 | .IR baduser : |
127 | ||
128 | host \-baduser | |
129 | host | |
130 | ||
131 | Deny all users from | |
132 | .IR host : | |
133 | ||
134 | \-host | |
135 | ||
136 | Note: the use of | |
137 | .I "\-host\ \-user" | |
138 | is never a valid syntax, | |
139 | including attempting to specify that a particular user from the host | |
140 | is not trusted. | |
141 | ||
142 | Allow all users with matching local accounts on all hosts in a | |
143 | .IR netgroup : | |
144 | ||
145 | +@netgroup | |
146 | ||
147 | Disallow all users on all hosts in a | |
148 | .IR netgroup : | |
149 | ||
150 | \-@netgroup | |
151 | ||
152 | Allow all users in a | |
153 | .I netgroup | |
154 | to log in from | |
7065339f MK |
155 | .IR host |
156 | as any non-root user: | |
9e7cff75 MK |
157 | |
158 | host +@netgroup | |
159 | ||
160 | Allow all users with matching local accounts on all hosts in a | |
161 | .I netgroup | |
162 | except | |
163 | .IR baduser : | |
164 | ||
165 | +@netgroup \-baduser | |
166 | +@netgroup | |
427cee53 | 167 | |
eb5367ad MK |
168 | Note: the deny statements must always precede the allow statements because |
169 | the file is processed sequentially until the first matching rule is found. | |
47297adb | 170 | .SH SEE ALSO |
fea681da MK |
171 | .BR rhosts (5), |
172 | .BR rlogind (8), | |
173 | .BR rshd (8) |