| .\" Copyright (c) 1995 Peter Tobias <tobias@et-inf.fho-emden.de> |
| .\" |
| .\" %%%LICENSE_START(GPL_NOVERSION_ONELINE) |
| .\" This file may be distributed under the GNU General Public License. |
| .\" %%%LICENSE_END |
| .TH HOSTS.EQUIV 5 2020-06-09 "Linux" "Linux Programmer's Manual" |
| .SH NAME |
| hosts.equiv \- list of hosts and users that are granted "trusted" |
| .B r |
| command access to your system |
| .SH DESCRIPTION |
| The file |
| .I /etc/hosts.equiv |
| allows or denies hosts and users to use |
| the \fBr\fP-commands (e.g., |
| .BR rlogin , |
| .BR rsh , |
| or |
| .BR rcp ) |
| without |
| supplying a password. |
| .PP |
| The file uses the following format: |
| .TP |
| \fI+|[\-]hostname|+@netgroup|\-@netgroup\fP \fI[+|[\-]username|+@netgroup|\-@netgroup]\fP |
| .PP |
| The |
| .I hostname |
| is the name of a host which is logically equivalent |
| to the local host. |
| Users logged into that host are allowed to access |
| like-named user accounts on the local host without supplying a password. |
| The |
| .I hostname |
| may be (optionally) preceded by a plus (+) sign. |
| If the plus sign is used alone, it allows any host to access your system. |
| You can explicitly deny access to a host by preceding the |
| .I hostname |
| by a minus (\-) sign. |
| Users from that host must always supply additional credentials, |
| including possibly a password. For security reasons you should always |
| use the FQDN of the hostname and not the short hostname. |
| .PP |
| The |
| .I username |
| entry grants a specific user access to all user |
| accounts (except root) without supplying a password. |
| That means the |
| user is NOT restricted to like-named accounts. |
| The |
| .I username |
| may |
| be (optionally) preceded by a plus (+) sign. |
| You can also explicitly |
| deny access to a specific user by preceding the |
| .I username |
| with |
| a minus (\-) sign. |
| This says that the user is not trusted no matter |
| what other entries for that host exist. |
| .PP |
| Netgroups can be specified by preceding the netgroup by an @ sign. |
| .PP |
| Be extremely careful when using the plus (+) sign. |
| A simple typographical |
| error could result in a standalone plus sign. |
| A standalone plus sign is |
| a wildcard character that means "any host"! |
| .SH FILES |
| .I /etc/hosts.equiv |
| .SH NOTES |
| Some systems will honor the contents of this file only when it has owner |
| root and no write permission for anybody else. |
| Some exceptionally |
| paranoid systems even require that there be no other hard links to the file. |
| .PP |
| Modern systems use the Pluggable Authentication Modules library (PAM). |
| With PAM a standalone plus sign is considered a wildcard |
| character which means "any host" only when the word |
| .I promiscuous |
| is added to the auth component line in your PAM file for |
| the particular service |
| .RB "(e.g., " rlogin ). |
| .SH EXAMPLES |
| Below are some example |
| .I /etc/host.equiv |
| or |
| .I \(ti/.rhosts |
| files. |
| .PP |
| Allow any user to log in from any host: |
| .PP |
| + |
| .PP |
| Allow any user from |
| .I host |
| with a matching local account to log in: |
| .PP |
| host |
| .PP |
| Note: the use of |
| .I +host |
| is never a valid syntax, |
| including attempting to specify that any user from the host is allowed. |
| .PP |
| Allow any user from |
| .I host |
| to log in: |
| .PP |
| host + |
| .PP |
| Note: this is distinct from the previous example |
| since it does not require a matching local account. |
| .PP |
| Allow |
| .I user |
| from |
| .I host |
| to log in as any non-root user: |
| .PP |
| host user |
| .PP |
| Allow all users with matching local accounts from |
| .I host |
| to log in except for |
| .IR baduser : |
| .PP |
| host \-baduser |
| host |
| .PP |
| Deny all users from |
| .IR host : |
| .PP |
| \-host |
| .PP |
| Note: the use of |
| .I "\-host\ \-user" |
| is never a valid syntax, |
| including attempting to specify that a particular user from the host |
| is not trusted. |
| .PP |
| Allow all users with matching local accounts on all hosts in a |
| .IR netgroup : |
| .PP |
| +@netgroup |
| .PP |
| Disallow all users on all hosts in a |
| .IR netgroup : |
| .PP |
| \-@netgroup |
| .PP |
| Allow all users in a |
| .I netgroup |
| to log in from |
| .I host |
| as any non-root user: |
| .PP |
| host +@netgroup |
| .PP |
| Allow all users with matching local accounts on all hosts in a |
| .I netgroup |
| except |
| .IR baduser : |
| .PP |
| +@netgroup \-baduser |
| +@netgroup |
| .PP |
| Note: the deny statements must always precede the allow statements because |
| the file is processed sequentially until the first matching rule is found. |
| .SH SEE ALSO |
| .BR rhosts (5), |
| .BR rlogind (8), |
| .BR rshd (8) |