| blob | 307c70b7d65c3169dea2a2ddd7c87964bc54af1e |
1 .\" $OpenBSD: hosts.equiv.5,v 1.12 2010/04/01 17:06:55 jmc Exp $
2 .\"
3 .\" Copyright (c) 1997 Todd Vierling
4 .\" Copyright (c) 1997 The NetBSD Foundation, Inc.
5 .\" All rights reserved.
6 .\"
7 .\" This code is derived from software contributed to The NetBSD Foundation
8 .\" by Todd Vierling <tv@pobox.com>.
9 .\"
10 .\" Redistribution and use in source and binary forms, with or without
11 .\" modification, are permitted provided that the following conditions
12 .\" are met:
13 .\" 1. Redistributions of source code must retain the above copyright
14 .\" notice, this list of conditions and the following disclaimer.
15 .\" 2. Redistributions in binary form must reproduce the above copyright
16 .\" notice, this list of conditions and the following disclaimer in the
17 .\" documentation and/or other materials provided with the distribution.
18 .\" 3. All advertising materials mentioning features or use of this software
19 .\" must display the following acknowledgement:
20 .\" This product includes software developed by the NetBSD
21 .\" Foundation, Inc. and its contributors.
22 .\" 4. Neither the name of The NetBSD Foundation nor the names of its
23 .\" contributors may be used to endorse or promote products derived
24 .\" from this software without specific prior written permission.
25 .\"
26 .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
27 .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
28 .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
29 .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
30 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
31 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
32 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
33 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
34 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
35 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
36 .\" POSSIBILITY OF SUCH DAMAGE.
37 .\"
38 .Dd $Mdocdate: April 1 2010 $
39 .Dt HOSTS.EQUIV 5
40 .Os
41 .Sh NAME
42 .Nm hosts.equiv ,
43 .Nm .rhosts
44 .Nd trusted remote hosts and host-user pairs
45 .Sh DESCRIPTION
46 The
47 .Nm hosts.equiv
48 and
49 .Nm .rhosts
50 files list hosts and users which are
51 .Dq trusted
52 by the local host when a connection is made via
53 .Xr rshd 8 ,
54 or any other server that uses
55 .Xr ruserok 3 .
56 This mechanism bypasses password checks, and is required for access via
57 .Xr rsh 1 .
58 .Pp
59 Each line of these files has the format:
60 .Bd -unfilled -offset indent
61 hostname [username]
62 .Ed
63 .Pp
64 The
65 .Ar hostname
66 may be specified as a host name (typically a fully qualified host
67 name in a DNS environment) or address,
68 .Ar +@netgroup
69 (from which only the host names are checked),
70 or a
71 .Sq +
72 wildcard (allow all hosts).
73 .Pp
74 The
75 .Ar username ,
76 if specified, may be given as a user name on the remote host,
77 .Ar +@netgroup
78 (from which only the user names are checked),
79 or a
80 .Sq +
81 wildcard (allow all remote users).
82 .Pp
83 If a
84 .Ar username
85 is specified, only that user from the specified host may log in to the
86 local machine.
87 If a
88 .Ar username
89 is not specified, any user may log in with the same user name.
90 .Sh FILES
91 .Bl -tag -width /etc/hosts.equiv -compact
92 .It Pa /etc/hosts.equiv
93 global trusted host-user pairs list
94 .It Pa ~/.rhosts
95 per-user trusted host-user pairs list
96 .El
97 .Sh EXAMPLES
98 .Bl -ohang -compact
99 .It Li somehost
100 A common usage; users on
101 .Ar somehost
102 may log in to the local host as the same user name.
103 .Pp
104 .It Li somehost username
105 The user
106 .Ar username
107 on
108 .Ar somehost
109 may log in to the local host.
110 If specified in
111 .Pa /etc/hosts.equiv ,
112 the user may log in with only the same user name.
113 .Pp
114 .It Li +@anetgroup username
115 The user
116 .Ar username
117 may log in to the local host from any machine listed in the netgroup
118 .Ar anetgroup .
119 .Pp
120 .It +
121 .It + +
122 Two severe security hazards.
123 In the first case, allows a user on any
124 machine to log in to the local host as the same user name.
125 In the second
126 case, allows any user on any machine to log in to the local host (as any
127 user, if in
128 .Pa /etc/hosts.equiv ) .
129 .El
130 .Sh SEE ALSO
131 .Xr rcp 1 ,
132 .Xr rsh 1 ,
133 .Xr rcmd 3 ,
134 .Xr ruserok 3 ,
135 .Xr netgroup 5
136 .Sh HISTORY
137 The
138 .Nm .rhosts
139 file format appeared in
140 .Bx 4.2 .
141 .Sh CAVEATS
142 The user name checks provided by this mechanism are
143 .Em not
144 secure, as the remote user name is received by the server unchecked
145 for validity.
146 Therefore this mechanism should only be used
147 in an environment where all hosts are completely trusted.
148 .Pp
149 A numeric host address instead of a host name can help security
150 considerations somewhat; the address is then used directly by
151 .Xr iruserok 3 .
152 .Pp
153 When a user name (or netgroup, or
154 .Sq + )
155 is specified in
156 .Pa /etc/hosts.equiv ,
157 that user (or group of users, or all users, respectively) may log in to
158 the local host as
159 .Em any local user .
160 Usernames in
161 .Pa /etc/hosts.equiv
162 should therefore be used with extreme caution, or not at all.
163 .Pp
164 A
165 .Pa .rhosts
166 file must be owned by the user whose home directory it resides in, and
167 must be writable only by that user.
168 .Pp
169 Logins as root only check root's
170 .Pa .rhosts
171 file; the
172 .Pa /etc/hosts.equiv
173 file is not checked for security.
174 Access permitted through root's
175 .Pa .rhosts
176 file is typically only for
177 .Xr rsh 1 .
178 .Sh BUGS
179 The
180 .Xr ruserok 3
181 implementation currently skips negative entries (preceded with a
182 .Sq \&-
183 sign) and does not treat them as
184 .Dq short-circuit
185 negative entries.