man5/hosts.equiv.5

   1 .\" Copyright (c) 1995 Peter Tobias <tobias@et-inf.fho-emden.de>
   2 .\"
   3 .\" %%%LICENSE_START(GPL_NOVERSION_ONELINE)
   4 .\" This file may be distributed under the GNU General Public License.
   5 .\" %%%LICENSE_END
   6 .TH HOSTS.EQUIV 5 2015-07-23 "Linux" "Linux Programmer's Manual"
   7 .SH NAME
   8 hosts.equiv \- list of hosts and users that are granted "trusted"
   9 .B r
  10 command access to your system
  11 .SH DESCRIPTION
  12 The file
  13 .I /etc/hosts.equiv
  14 allows or denies hosts and users to use
  15 the \fBr\fP-commands (e.g.,
  16 .BR rlogin ,
  17 .BR rsh ,
  18 or
  19 .BR rcp )
  20 without
  21 supplying a password.
  22 .PP
  23 The file uses the following format:
  24 .TP
  25 \fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP
  26 .PP
  27 The
  28 .I hostname
  29 is the name of a host which is logically equivalent
  30 to the local host.
  31 Users logged into that host are allowed to access
  32 like-named user accounts on the local host without supplying a password.
  33 The
  34 .I hostname
  35 may be (optionally) preceded by a plus (+) sign.
  36 If the plus sign is used alone, it allows any host to access your system.
  37 You can explicitly deny access to a host by preceding the
  38 .I hostname
  39 by a minus (\-) sign.
  40 Users from that host must always supply additional credentials,
  41 including possibly a password. For security reasons you should always
  42 use the FQDN of the hostname and not the short hostname.
  43 .PP
  44 The
  45 .I username
  46 entry grants a specific user access to all user
  47 accounts (except root) without supplying a password.
  48 That means the
  49 user is NOT restricted to like-named accounts.
  50 The
  51 .I username
  52 may
  53 be (optionally) preceded by a plus (+) sign.
  54 You can also explicitly
  55 deny access to a specific user by preceding the
  56 .I username
  57 with
  58 a minus (\-) sign.
  59 This says that the user is not trusted no matter
  60 what other entries for that host exist.
  61 .PP
  62 Netgroups can be specified by preceding the netgroup by an @ sign.
  63 .PP
  64 Be extremely careful when using the plus (+) sign.
  65 A simple typographical
  66 error could result in a standalone plus sign.
  67 A standalone plus sign is
  68 a wildcard character that means "any host"!
  69 .SH FILES
  70 .I /etc/hosts.equiv
  71 .SH NOTES
  72 Some systems will honor the contents of this file only when it has owner
  73 root and no write permission for anybody else.
  74 Some exceptionally
  75 paranoid systems even require that there be no other hard links to the file.
  76 .PP
  77 Modern systems use the Pluggable Authentication Modules library (PAM).
  78 With PAM a standalone plus sign is considered a wildcard
  79 character which means "any host" only when the word
  80 .I promiscuous
  81 is added to the auth component line in your PAM file for
  82 the particular service
  83 .RB "(e.g., " rlogin ).
  84 .SH EXAMPLE
  85 Below are some example
  86 .I /etc/host.equiv
  87 or
  88 .I ~/.rhosts
  89 files.
  90 .PP
  91 Allow any user to log in from any host:
  92 .PP
  93     +
  94 .PP
  95 Allow any user from
  96 .I host
  97 with a matching local account to log in:
  98 .PP
  99     host
 100 .PP
 101 Note: the use of
 102 .I +host
 103 is never a valid syntax,
 104 including attempting to specify that any user from the host is allowed.
 105 .PP
 106 Allow any user from
 107 .I host
 108 to log in:
 109 .PP
 110     host +
 111 .PP
 112 Note: this is distinct from the previous example
 113 since it does not require a matching local account.
 114 .PP
 115 Allow
 116 .I user
 117 from
 118 .I host
 119 to log in as any non-root user:
 120 .PP
 121     host user
 122 .PP
 123 Allow all users with matching local accounts from
 124 .I host
 125 to log in except for
 126 .IR baduser :
 127 .PP
 128     host \-baduser
 129     host
 130 .PP
 131 Deny all users from
 132 .IR host :
 133 .PP
 134     \-host
 135 .PP
 136 Note: the use of
 137 .I "\-host\ \-user"
 138 is never a valid syntax,
 139 including attempting to specify that a particular user from the host
 140 is not trusted.
 141 .PP
 142 Allow all users with matching local accounts on all hosts in a
 143 .IR netgroup :
 144 .PP
 145     +@netgroup
 146 .PP
 147 Disallow all users on all hosts in a
 148 .IR netgroup :
 149 .PP
 150     \-@netgroup
 151 .PP
 152 Allow all users in a
 153 .I netgroup
 154 to log in from
 155 .I host
 156 as any non-root user:
 157 .PP
 158     host +@netgroup
 159 .PP
 160 Allow all users with matching local accounts on all hosts in a
 161 .I netgroup
 162 except
 163 .IR baduser :
 164 .PP
 165     +@netgroup \-baduser
 166     +@netgroup
 167 .PP
 168 Note: the deny statements must always precede the allow statements because
 169 the file is processed sequentially until the first matching rule is found.
 170 .SH SEE ALSO
 171 .BR rhosts (5),
 172 .BR rlogind (8),
 173 .BR rshd (8)