[thirdparty/man-pages.git] / man5 / hosts.equiv.5

.\" Copyright (c) 1995 Peter Tobias <tobias@et-inf.fho-emden.de>
.\"
.\" %%%LICENSE_START(GPL_NOVERSION_ONELINE)
.\" This file may be distributed under the GNU General Public License.
.\" %%%LICENSE_END
.TH HOSTS.EQUIV 5 2015-07-23 "Linux" "Linux Programmer's Manual"
.SH NAME
hosts.equiv \- list of hosts and users that are granted "trusted"
.B r
command access to your system
.SH DESCRIPTION
The file
.I /etc/hosts.equiv
allows or denies hosts and users to use
the \fBr\fP-commands (e.g.,
.BR rlogin ,
.BR rsh ,
or
.BR rcp )
without
supplying a password.
.PP
The file uses the following format:
.TP
\fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP
.PP
The
.I hostname
is the name of a host which is logically equivalent
to the local host.
Users logged into that host are allowed to access
like-named user accounts on the local host without supplying a password.
The
.I hostname
may be (optionally) preceded by a plus (+) sign.
If the plus sign is used alone, it allows any host to access your system.
You can explicitly deny access to a host by preceding the
.I hostname
by a minus (\-) sign.
Users from that host must always supply additional credentials,
including possibly a password. For security reasons you should always
use the FQDN of the hostname and not the short hostname.
.PP
The
.I username
entry grants a specific user access to all user
accounts (except root) without supplying a password.
That means the
user is NOT restricted to like-named accounts.
The
.I username
may
be (optionally) preceded by a plus (+) sign.
You can also explicitly
deny access to a specific user by preceding the
.I username
with
a minus (\-) sign.
This says that the user is not trusted no matter
what other entries for that host exist.
.PP
Netgroups can be specified by preceding the netgroup by an @ sign.
.PP
Be extremely careful when using the plus (+) sign.
A simple typographical
error could result in a standalone plus sign.
A standalone plus sign is
a wildcard character that means "any host"!
.SH FILES
.I /etc/hosts.equiv
.SH NOTES
Some systems will honor the contents of this file only when it has owner
root and no write permission for anybody else.
Some exceptionally
paranoid systems even require that there be no other hard links to the file.
.PP
Modern systems use the Pluggable Authentication Modules library (PAM).
With PAM a standalone plus sign is considered a wildcard
character which means "any host" only when the word
.I promiscuous
is added to the auth component line in your PAM file for
the particular service
.RB "(e.g., " rlogin ).
.SH EXAMPLE
Below are some example
.I /etc/host.equiv
or
.I ~/.rhosts
files.

Allow any user to log in from any host:

    +

Allow any user from
.I host
with a matching local account to log in:

    host

Note: the use of
.I +host
is never a valid syntax,
including attempting to specify that any user from the host is allowed.

Allow any user from
.I host
to log in:

    host +

Note: this is distinct from the previous example
since it does not require a matching local account.

Allow
.I user
from
.I host
to log in as any non-root user:

    host user

Allow all users with matching local accounts from
.I host
to log in except for
.IR baduser :

    host \-baduser
    host

Deny all users from
.IR host :

    \-host

Note: the use of
.I "\-host\ \-user"
is never a valid syntax,
including attempting to specify that a particular user from the host
is not trusted.

Allow all users with matching local accounts on all hosts in a
.IR netgroup :

    +@netgroup

Disallow all users on all hosts in a
.IR netgroup :

    \-@netgroup

Allow all users in a
.I netgroup
to log in from
.IR host
as any non-root user:

    host +@netgroup

Allow all users with matching local accounts on all hosts in a
.I netgroup
except
.IR baduser :

    +@netgroup \-baduser
    +@netgroup

Note: the deny statements must always precede the allow statements because
the file is processed sequentially until the first matching rule is found.
.SH SEE ALSO
.BR rhosts (5),
.BR rlogind (8),
.BR rshd (8)
Commit	Line	Data
fea681da	1	.\" Copyright (c) 1995 Peter Tobias <tobias@et-inf.fho-emden.de>
2297bf0e	2	.\"
fd0fc519	3	.\" %%%LICENSE_START(GPL_NOVERSION_ONELINE)
fea681da	4	.\" This file may be distributed under the GNU General Public License.
fd0fc519	5	.\" %%%LICENSE_END
5722c835	6	.TH HOSTS.EQUIV 5 2015-07-23 "Linux" "Linux Programmer's Manual"
fea681da	7	.SH NAME
a7af04ef	8	hosts.equiv \- list of hosts and users that are granted "trusted"
c6fa0841 MK	9	.B r
c6fa0841 MK	10	command access to your system
fea681da	11	.SH DESCRIPTION
23289769 MK	12	The file
	13	.I /etc/hosts.equiv
	14	allows or denies hosts and users to use
c6fa0841 MK	15	the \fBr\fP-commands (e.g.,
c6fa0841 MK	16	.BR rlogin ,
12ccb8fc	17	.BR rsh ,
c6fa0841 MK	18	or
	19	.BR rcp )
	20	without
fea681da MK	21	supplying a password.
	22	.PP
	23	The file uses the following format:
	24	.TP
427cee53	25	\fI+\|[\-]hostname\|+@netgroup\|\-@netgroup\fP \fI[+\|[\-]username\|+@netgroup\|\-@netgroup]\fP
fea681da	26	.PP
c6fa0841 MK	27	The
	28	.I hostname
	29	is the name of a host which is logically equivalent
c13182ef MK	30	to the local host.
c13182ef MK	31	Users logged into that host are allowed to access
fea681da	32	like-named user accounts on the local host without supplying a password.
c6fa0841 MK	33	The
	34	.I hostname
	35	may be (optionally) preceded by a plus (+) sign.
bbc688df	36	If the plus sign is used alone, it allows any host to access your system.
c6fa0841 MK	37	You can explicitly deny access to a host by preceding the
c6fa0841 MK	38	.I hostname
c13182ef	39	by a minus (\-) sign.
427cee53 CD	40	Users from that host must always supply additional credentials,
	41	including possibly a password. For security reasons you should always
	42	use the FQDN of the hostname and not the short hostname.
fea681da	43	.PP
c6fa0841 MK	44	The
	45	.I username
	46	entry grants a specific user access to all user
c13182ef MK	47	accounts (except root) without supplying a password.
	48	That means the
	49	user is NOT restricted to like-named accounts.
c6fa0841 MK	50	The
	51	.I username
	52	may
c13182ef MK	53	be (optionally) preceded by a plus (+) sign.
c13182ef MK	54	You can also explicitly
c6fa0841 MK	55	deny access to a specific user by preceding the
	56	.I username
	57	with
c13182ef MK	58	a minus (\-) sign.
c13182ef MK	59	This says that the user is not trusted no matter
fea681da MK	60	what other entries for that host exist.
	61	.PP
	62	Netgroups can be specified by preceding the netgroup by an @ sign.
	63	.PP
c13182ef MK	64	Be extremely careful when using the plus (+) sign.
	65	A simple typographical
	66	error could result in a standalone plus sign.
	67	A standalone plus sign is
fea681da MK	68	a wildcard character that means "any host"!
	69	.SH FILES
	70	.I /etc/hosts.equiv
	71	.SH NOTES
33a0ccb2	72	Some systems will honor the contents of this file only when it has owner
c13182ef MK	73	root and no write permission for anybody else.
c13182ef MK	74	Some exceptionally
fea681da MK	75	paranoid systems even require that there be no other hard links to the file.
	76	.PP
	77	Modern systems use the Pluggable Authentication Modules library (PAM).
33a0ccb2 MK	78	With PAM a standalone plus sign is considered a wildcard
33a0ccb2 MK	79	character which means "any host" only when the word
fea681da MK	80	.I promiscuous
	81	is added to the auth component line in your PAM file for
	82	the particular service
75b94dc3	83	.RB "(e.g., " rlogin ).
427cee53	84	.SH EXAMPLE
9e7cff75	85	Below are some example
427cee53 CD	86	.I /etc/host.equiv
	87	or
	88	.I ~/.rhosts
9e7cff75 MK	89	files.
9e7cff75 MK	90
e7fd5cc2	91	Allow any user to log in from any host:
427cee53	92
9e7cff75 MK	93	+
	94
	95	Allow any user from
	96	.I host
e7fd5cc2	97	with a matching local account to log in:
9e7cff75 MK	98
	99	host
	100
	101	Note: the use of
	102	.I +host
	103	is never a valid syntax,
	104	including attempting to specify that any user from the host is allowed.
	105
	106	Allow any user from
	107	.I host
e7fd5cc2	108	to log in:
9e7cff75 MK	109
	110	host +
	111
	112	Note: this is distinct from the previous example
	113	since it does not require a matching local account.
	114
	115	Allow
	116	.I user
	117	from
	118	.I host
ba5ed753	119	to log in as any non-root user:
9e7cff75 MK	120
	121	host user
	122
	123	Allow all users with matching local accounts from
	124	.I host
e7fd5cc2	125	to log in except for
9e7cff75 MK	126	.IR baduser :
	127
	128	host \-baduser
	129	host
	130
	131	Deny all users from
	132	.IR host :
	133
	134	\-host
	135
	136	Note: the use of
	137	.I "\-host\ \-user"
	138	is never a valid syntax,
	139	including attempting to specify that a particular user from the host
	140	is not trusted.
	141
	142	Allow all users with matching local accounts on all hosts in a
	143	.IR netgroup :
	144
	145	+@netgroup
	146
	147	Disallow all users on all hosts in a
	148	.IR netgroup :
	149
	150	\-@netgroup
	151
	152	Allow all users in a
	153	.I netgroup
	154	to log in from
7065339f MK	155	.IR host
7065339f MK	156	as any non-root user:
9e7cff75 MK	157
	158	host +@netgroup
	159
	160	Allow all users with matching local accounts on all hosts in a
	161	.I netgroup
	162	except
	163	.IR baduser :
	164
	165	+@netgroup \-baduser
	166	+@netgroup
427cee53	167
eb5367ad MK	168	Note: the deny statements must always precede the allow statements because
eb5367ad MK	169	the file is processed sequentially until the first matching rule is found.
47297adb	170	.SH SEE ALSO
fea681da MK	171	.BR rhosts (5),
	172	.BR rlogind (8),
	173	.BR rshd (8)